security

Solid

Enforce Elixir/Phoenix security — auth, OAuth, sessions, CSRF, XSS, SQL injection, input validation, secrets. Use when editing auth files, login flows, RBAC, or API keys.

API & Backend 437 stars 25 forks Updated today MIT

Install

View on GitHub

Quality Score: 97/100

Stars 20%

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Elixir/Phoenix Security Reference Quick reference for security patterns in Elixir/Phoenix. ## Iron Laws — Never Violate These 1. **VALIDATE AT BOUNDARIES** — Never trust client input. All data through changesets 2. **NEVER INTERPOLATE USER INPUT** — Use Ecto's `^` operator, never string interpolation 3. **NO String.to_atom WITH USER INPUT** — Atom exhaustion DoS. Use `to_existing_atom/1` 4. **AUTHORIZE EVERYWHERE** — Check in contexts AND re-validate in LiveView events 5. **ESCAPE BY DEFAULT** — Never use `raw/1` with untrusted content 6. **SECRETS NEVER IN CODE** �� All secrets in `runtime.exs` from env vars ## Quick Patterns ### Timing-Safe Authentication ```elixir def authenticate(email, password) do user = Repo.get_by(User, email: email) cond do user && Argon2.verify_pass(password, user.hashed_password) -> {:ok, user} user -> {:error, :invalid_credentials} true -> Argon2.no_user_verify() # Timing attack prevention {:error, :invalid_credentials} end end ``` ### LiveView Authorization (CRITICAL) ```elixir # RE-AUTHORIZE IN EVERY EVENT HANDLER def handle_event("delete", %{"id" => id}, socket) do post = Blog.get_post!(id) # Don't trust that mount authorized this action! with :ok <- Bodyguard.permit(Blog, :delete_post, socket.assigns.current_user, post) do Blog.delete_post(post) {:noreply, stream_delete(socket, :posts, post)} else _ -> {:noreply, put_flash(socket, :error, "Unauthorized")} end end ```...

Details

Author: oliver-kriska
Repository: oliver-kriska/claude-elixir-phoenix
Created: 4 months ago
Last Updated: today
Language: Python
License: MIT

Integrates with

Model Context Protocol · AI

Similar Skills

Semantically similar based on skill content — not just same category

Code & Development Listed

principle-security

Security design principles — trust boundaries and input validation, authentication vs authorization, secrets handling, secure defaults and defense in depth, lightweight threat modeling, cryptography hygiene, attack-surface minimization. Auto-load when designing auth, discussing authn or authz, handling secrets, defining trust boundaries, validating untrusted input, considering SSRF or CSRF, choosing session or JWT mechanics, configuring TLS, picking an encryption primitive, or weighing least-privilege trade-offs.

2 Updated today

lugassawan

API & Backend Listed

security-patterns

Security checklist covering XSS, injection, authentication, authorization, sessions, CSRF, CSP, secrets, dependency CVEs, input validation, and severity calls. Use whenever the project includes auth code, session handling, environment variable reads, user input handling, route handlers, server actions, middleware, or external API calls, OR the user asks about security, hardening, vulnerabilities, auth, authentication, authorization, sessions, cookies, XSS, CSRF, SQL injection, secrets, environment variables, CSP, headers, or reviews changes that touch user input, auth, or external data, even if "security" is not mentioned by name.

0 Updated today

ku5ic

AI & Automation Listed

security

Use for security, auth, secrets, crypto, input validation, dependency risk, and trust boundaries.

1 Updated 6 days ago

kreek