security-checklisted

Focused security review — secrets, injection, auth, dependencies, OWASP Top 10. Use as a dedicated security lens separate from general code review. Maps to H1 (Be Proactive — prevent security incidents, don't react to them).
pitimon/8-habit-ai-dev · ★ 3 · Code & Development · score 77

Install: claude install-skill pitimon/8-habit-ai-dev

# Security Check (ตรวจความปลอดภัย) **Habit**: H1 — Be Proactive | **Anti-pattern**: Bundling security into general code review where it competes for attention ## Why a Separate Skill Cognitive load research confirms: reviewing for 5 concerns simultaneously degrades all of them. Security deserves its own focused lens — the Security Champions model (Shopify, Atlassian) outperforms bundled review. ## Process 1. **Get the scope**: `git diff --name-only` or the files/directory specified. 2. **Auth & Access Control** (CRITICAL): - [ ] New endpoints require auth (unless explicitly public) - [ ] Access control uses role/permission checks, not just "is logged in" - [ ] No privilege escalation paths (user A accessing user B's data) - Verify: search for auth middleware and protect guards in changed files 3. **Secrets & Credentials** (CRITICAL): - [ ] No hardcoded keys, tokens, or credentials in source code - [ ] Secrets loaded from environment variables - [ ] No secrets in comments, logs, or error messages - Verify: use Grep tool to search for secret patterns in changed files 4. **Input Handling** (HIGH): - [ ] All user input validated (type, length, format) - [ ] Database queries use parameterized statements (no string interpolation) - [ ] HTML output escaped (XSS prevention) - [ ] File uploads validated (type, size, content) - Verify: search for innerHTML, dangerouslySetInnerHTML, exec(), eval() 5. **Data Protection** (HIGH): - [ ] Se