Comprehensive application security expertise covering authentication, authorization, OWASP Top 10, and security best practices. Use when (1) Implementing authentication (JWT, OAuth2, sessions, OAuth for CLI/TUI/desktop apps), (2) Adding authorization (RBAC, ABAC, RLS with Supabase/PostgreSQL), (3) Security auditing code or infrastructure, (4) Setting up security infrastructure (headers, CORS, CSP, rate limiting), (5) Managing secrets and credentials, (6) Preventing OWASP Top 10 vulnerabilities (injection, XSS, CSRF, etc.), (7) Reviewing code for security issues, (8) Configuring secure web applications in TypeScript, Python, or Rust. Automatically triggered when working with authentication/authorization systems, security reviews, or addressing security vulnerabilities.
From devsnpx claudepluginhub aaronbassett/agent-foundry --plugin devsThis skill uses the workspace's default tool permissions.
assets/configs/python/security_middleware.pyassets/configs/rust/security_middleware.rsassets/configs/typescript/security-config.tsreferences/authentication.mdreferences/authorization.mdreferences/code-review.mdreferences/owasp-top-10.mdreferences/rate-limiting.mdreferences/secrets-management.mdreferences/security-headers.mdscripts/audit_security.shscripts/generate_jwt_keys.shSearches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Analyzes unfamiliar codebases to generate structured onboarding guides with architecture maps, key entry points, conventions, and starter CLAUDE.md.
Comprehensive application security guidance for TypeScript, Python, and Rust applications.
Setting up authentication:
./scripts/generate_jwt_keys.sh RS256assets/configs/Implementing authorization:
Security auditing:
./scripts/audit_security.shHardening application:
scripts/)audit_security.sh - Security audit for TypeScript, Python, and Rust projects
./scripts/audit_security.sh [project-directory]generate_jwt_keys.sh - Generate secure JWT signing keys
./scripts/generate_jwt_keys.sh [ALGORITHM] [OUTPUT_DIR]references/)authentication.md - Complete authentication guide
authorization.md - Authorization patterns and implementations
owasp-top-10.md - OWASP Top 10 prevention guide
secrets-management.md - Secrets and credentials management
security-headers.md - HTTP security headers
rate-limiting.md - Rate limiting strategies
code-review.md - Security code review checklist
assets/configs/)Ready-to-use security middleware for all supported languages:
TypeScript: assets/configs/typescript/security-config.ts
Python: assets/configs/python/security_middleware.py
Rust: assets/configs/rust/security_middleware.rs
| Method | Use When | Complexity | Best For |
|---|---|---|---|
| JWT | Stateless APIs, microservices | Medium | SPAs, mobile apps, APIs |
| Sessions | Traditional web apps | Low | Server-rendered apps |
| OAuth 2.0 | Third-party auth, SSO | High | Delegated authentication |
| API Keys | Service-to-service | Low | Internal services |
See authentication.md for detailed implementation patterns.
| Model | Use When | Complexity | Best For |
|---|---|---|---|
| RBAC | Simple role hierarchies | Low | Standard web apps |
| ABAC | Complex, dynamic policies | High | Enterprise apps |
| RLS | Multi-tenant with data isolation | Medium | SaaS applications |
| Permissions | Fine-grained control | Medium | Admin panels, APIs |
See authorization.md for implementation patterns and RLS examples.
For applications without traditional browser redirects:
Device Authorization Flow (OAuth 2.0):
Full implementation examples in authentication.md - OAuth for CLI, TUI, and Desktop Apps.
# Generate keys
./scripts/generate_jwt_keys.sh RS256 ./keys
# Review implementation patterns
# See references/authentication.md#jwt-authentication
Then implement using examples for your language (TypeScript/Python/Rust).
# Review RLS patterns
# See references/authorization.md#row-level-security-rls
Implement RLS policies for multi-tenant isolation:
# Run automated audit
./scripts/audit_security.sh
# Manual review
# 1. Check references/code-review.md checklist
# 2. Review references/owasp-top-10.md for vulnerabilities
# 3. Verify security headers with references/security-headers.md
# 4. Test rate limiting per references/rate-limiting.md
Apply security templates:
assets/configs/[language]/Implement authentication:
Add authorization:
Configure security headers:
Set up secrets management:
Review OWASP Top 10:
assets/configs/typescript/security-config.tsassets/configs/python/security_middleware.pyassets/configs/rust/security_middleware.rsWrite tests for security concerns:
// Authentication tests
it('should reject invalid credentials');
it('should rate limit login attempts');
it('should require MFA when enabled');
// Authorization tests
it('should deny unauthorized access');
it('should allow access for correct role');
it('should enforce resource ownership');
// Input validation tests
it('should prevent SQL injection');
it('should sanitize HTML input');
it('should validate file uploads');
See code-review.md for complete testing checklist.
Primary references in this skill:
External resources:
For a new secure application:
assets/configs/./scripts/audit_security.sh to verifyFor security review:
./scripts/audit_security.shFor specific security concern: