← ClaudeAtlas

web-platform-securitylisted

Audit browser-enforced security primitives every web app depends on: CORS, Content Security Policy (CSP with nonces and Trusted Types), cross-origin isolation (COOP/COEP/CORP), modern cookies (SameSite, __Host- prefix, CHIPS Partitioned), Permissions-Policy, Subresource Integrity, HSTS, Referrer-Policy, iframe sandboxing, postMessage origin checks, Private Network Access (PNA), WebAuthn/Passkeys, and FedCM. Sourced from web.dev, developer.chrome.com, and the Fetch/HTML/Cookies/WebAuthn specs. Use when the user asks about security headers, CORS, CSP design, secure cookies, cross-origin isolation, SharedArrayBuffer requirements, clickjacking, mixed content, HSTS preload, sandboxed iframes, passkeys, FedCM, PNA, partitioned cookies, or 'audit my browser security'. Triggers: 'review my CSP', 'audit my CORS', 'are my cookies safe', 'enable cross-origin isolation', 'set up Trusted Types', 'WebAuthn integration', 'CHIPS cookies'. Use even when only one primitive is mentioned.
hlsitechio/claude-skills-security · ★ 1 · Web & Frontend · score 65
Install: claude install-skill hlsitechio/claude-skills-security
# Web Platform Security Audit the browser-enforced security primitives that every web app depends on, regardless of framework. These are the controls the browser itself implements — getting them right makes entire vulnerability classes (XSS impact, clickjacking, CSRF, third-party data exfiltration, cross-origin data leaks) much harder to exploit. The skill is grounded in first-party sources: web.dev articles, developer.chrome.com, the Fetch / HTML / Cookies / WebAuthn specs, and Chromium intent-to-ship records. When upstream guidance changes (e.g., Chrome rolls out Private Network Access enforcement, CHIPS partitioned cookies graduate from origin trial), this skill's checks update before the next scheduled review. ## When this skill applies - Reviewing HTTP response headers on a deployed web app - Designing or hardening a Content Security Policy - Auditing cookie attributes for session, CSRF, and tracking cookies - Enabling cross-origin isolation to use `SharedArrayBuffer`, high-resolution `performance.now()`, or `Cross-Origin-Embedder-Policy: require-corp` - Replacing third-party-cookie SSO with FedCM - Integrating WebAuthn / passkeys - Preparing for Chrome's Private Network Access enforcement (preflight from public to private IPs) - Migrating to CHIPS (Partitioned cookies) for cross-site embedded contexts Use other skills for: - App-layer XSS sink review → `react-security`, `vue-nuxt-security`, etc., or `saas-code-security-review` - Framework-specific header injection