security-scanlisted

# Security Scan Skill Automatically scans for security issues when security-sensitive code is modified. ## When to Activate This skill should activate when: - Changes touch authentication or authorization - New API endpoints are added - User input handling is modified - Database queries are added/modified - File uploads or storage operations - Payment or financial operations ## Security Checklist ### 1. Authentication & Authorization - [ ] Auth middleware applied to protected routes - [ ] Firebase Auth tokens properly validated - [ ] User can only access their own data - [ ] Admin endpoints properly restricted ### 2. Input Validation - [ ] All user inputs validated - [ ] Request body size limits - [ ] File upload type/size restrictions - [ ] Path traversal prevention ### 3. Data Protection - [ ] No sensitive data in logs - [ ] No secrets in code - [ ] PII properly handled - [ ] Signed URLs used for private files ### 4. API Security - [ ] Rate limiting considered - [ ] CORS properly configured - [ ] Error messages don't leak info - [ ] Proper HTTP status codes ### 5. Firebase/Firestore Security - [ ] Security rules updated for new collections - [ ] Rules tested with Firebase emulator - [ ] No wildcard read/write rules - [ ] Proper field-level validation ## OWASP Top 10 Quick Check 1. **Injection** - Parameterized queries? 2. **Broken Auth** - Session management secure? 3. **Sensitive Data** - Encrypted at rest/transit? 4. **XXE** - XML parsing disabled/secured? 5. *