hono-securitylisted

# Hono Security Audit Audit Hono apps. Hono is a small, fast framework targeting Workers/Bun/Deno/Node/Lambda — each runtime has its own security context. ## When this skill applies - Reviewing Hono route handlers and middleware - Auditing JWT and auth helpers - Reviewing env bindings across runtimes - Checking CORS, helmet-equivalent setup - Confirming runtime-specific concerns (Workers, Lambda, etc.) ## Workflow Follow `../_shared/audit-workflow.md`. ### Phase 1: Stack detection ```bash grep -E '"hono":' package.json grep -nE 'import.*hono' src/ | head -5 # Detect runtime grep -E '"wrangler"|"@cloudflare/workers-types"' package.json && echo "Cloudflare Workers" grep -E '"@types/bun"|"bun"' package.json && echo "Bun" grep -E '"@types/aws-lambda"' package.json && echo "AWS Lambda" ``` ### Phase 2: Inventory ```bash # Routes and handlers grep -rn 'app\.\(get\|post\|put\|delete\|use\)' src/ | head -50 # Middleware imports grep -rn 'from .hono/(jwt|cors|csrf|secure-headers|logger|cache)' src/ # Env access grep -rn 'c\.env\.' src/ # Variables (per-request context) grep -rn 'c\.set\|c\.var' src/ ``` ### Phase 3: Detection — the checks #### Middleware setup - **HNO-MW-1** `secureHeaders()` middleware from `hono/secure-headers` applied — Hono's equivalent of helmet. - **HNO-MW-2** `cors()` from `hono/cors` configured with specific `origin` allowlist, not `*` for credentialed requests. - **HNO-MW-3** `logger()` middleware doesn't log sensitive headers/bodies. - **HNO-M