Skill

secure-code-guardian

Implements authentication/authorization, secures user input against OWASP Top 10, and hardens code with bcrypt/argon2 hashing, parameterized SQL queries, Zod validation, JWT tokens, and CORS/CSP headers.

Zod

SQL

JWT

security

authentication

npx claudepluginhub codeape-7/ai-agent-workflowgroup

Tool Access

This skill uses the workspace's default tool permissions.

Preview

1. **Threat model** — Identify attack surface and threats

Supporting Assets

references/authentication.mdreferences/input-validation.mdreferences/owasp-prevention.mdreferences/security-headers.mdreferences/xss-csrf.md

SKILL.md

Similar Skills

secure-code-guardian

8.7k

Implements authentication/authorization, secures user input, and prevents OWASP Top 10 vulnerabilities using bcrypt/argon2 hashing, parameterized SQL queries, Zod validation, JWT tokens, and CORS/CSP headers.

5 files

fullstack-dev-skills

Security Engineer

Implements security best practices across app stacks including API security, authentication/authorization, input validation, encryption, and monitoring. Covers OWASP Top 10.

2 files

daffy0208-ai-dev-standards

security

Provides OWASP Top 10 guidance and stack-agnostic principles for secure web apps. Use for code security reviews, auth/authorization implementation, secrets/API key handling, security headers, injection prevention (SQL/XSS/CSRF), and audits.

3 files1 tool

playbooks-virtuoso

Stats

Stars10

Forks2

Last CommitApr 25, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Secure Code Guardian

Core Workflow

Threat model — Identify attack surface and threats
Design — Plan security controls
Implement — Write secure code with defense in depth; see code examples below
Validate — Test security controls with explicit checkpoints (see below)
Document — Record security decisions

Validation Checkpoints

After each implementation step, verify:

Authentication: Test brute-force protection (lockout/rate limit triggers), session fixation resistance, token expiration, and invalid-credential error messages (must not leak user existence).
Authorization: Verify horizontal and vertical privilege escalation paths are blocked; test with tokens belonging to different roles/users.
Input handling: Confirm SQL injection payloads (' OR 1=1--) are rejected; confirm XSS payloads (<script>alert(1)</script>) are escaped or rejected.
Headers/CORS: Validate with a security scanner (e.g., curl -I, Mozilla Observatory) that security headers are present and CORS origin allowlist is correct.

Reference Guide

Load detailed guidance based on context:

Topic	Reference	Load When
OWASP	`references/owasp-prevention.md`	OWASP Top 10 patterns
Authentication	`references/authentication.md`	Password hashing, JWT
Input Validation	`references/input-validation.md`	Zod, SQL injection
XSS/CSRF	`references/xss-csrf.md`	XSS prevention, CSRF
Headers	`references/security-headers.md`	Helmet, rate limiting

Constraints

MUST DO

Hash passwords with bcrypt/argon2 (never MD5/SHA-1/unsalted hashes)
Use parameterized queries (never string-interpolated SQL)
Validate and sanitize all user input before use
Implement rate limiting on auth endpoints
Set security headers (CSP, HSTS, X-Frame-Options)
Log security events (failed auth, privilege escalation attempts)
Store secrets in environment variables or secret managers (never in source code)

MUST NOT DO

Store passwords in plaintext or reversibly encrypted form
Trust user input without validation
Expose sensitive data in logs or error responses
Use weak or deprecated algorithms (MD5, SHA-1, DES, ECB mode)
Hardcode secrets or credentials in code

Code Examples

Password Hashing (bcrypt)

import bcrypt from 'bcrypt';

const SALT_ROUNDS = 12; // minimum 10; 12 balances security and performance

export async function hashPassword(plaintext: string): Promise<string> {
  return bcrypt.hash(plaintext, SALT_ROUNDS);
}

export async function verifyPassword(plaintext: string, hash: string): Promise<boolean> {
  return bcrypt.compare(plaintext, hash);
}

Parameterized SQL Query (Node.js / pg)

// NEVER: `SELECT * FROM users WHERE email = '${email}'`
// ALWAYS: use positional parameters
import { Pool } from 'pg';
const pool = new Pool();

export async function getUserByEmail(email: string) {
  const { rows } = await pool.query(
    'SELECT id, email, role FROM users WHERE email = $1',
    [email]  // value passed separately — never interpolated
  );
  return rows[0] ?? null;
}

Input Validation with Zod

import { z } from 'zod';

const LoginSchema = z.object({
  email: z.string().email().max(254),
  password: z.string().min(8).max(128),
});

export function validateLoginInput(raw: unknown) {
  const result = LoginSchema.safeParse(raw);
  if (!result.success) {
    // Return generic error — never echo raw input back
    throw new Error('Invalid credentials format');
  }
  return result.data;
}

JWT Validation

import jwt from 'jsonwebtoken';

const JWT_SECRET = process.env.JWT_SECRET!; // never hardcode

export function verifyToken(token: string): jwt.JwtPayload {
  // Throws if expired, tampered, or wrong algorithm
  const payload = jwt.verify(token, JWT_SECRET, {
    algorithms: ['HS256'],   // explicitly allowlist algorithm
    issuer: 'your-app',
    audience: 'your-app',
  });
  if (typeof payload === 'string') throw new Error('Invalid token payload');
  return payload;
}

Securing an Endpoint — Full Flow

import express from 'express';
import rateLimit from 'express-rate-limit';
import helmet from 'helmet';

const app = express();
app.use(helmet()); // sets CSP, HSTS, X-Frame-Options, etc.
app.use(express.json({ limit: '10kb' })); // limit payload size

const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 10,                   // 10 attempts per window per IP
  standardHeaders: true,
  legacyHeaders: false,
});

app.post('/api/login', authLimiter, async (req, res) => {
  // 1. Validate input
  const { email, password } = validateLoginInput(req.body);

  // 2. Authenticate — parameterized query, constant-time compare
  const user = await getUserByEmail(email);
  if (!user || !(await verifyPassword(password, user.passwordHash))) {
    // Generic message — do not reveal whether email exists
    return res.status(401).json({ error: 'Invalid credentials' });
  }

  // 3. Authorize — issue scoped, short-lived token
  const token = jwt.sign(
    { sub: user.id, role: user.role },
    JWT_SECRET,
    { algorithm: 'HS256', expiresIn: '15m', issuer: 'your-app', audience: 'your-app' }
  );

  // 4. Secure response — token in httpOnly cookie, not body
  res.cookie('token', token, { httpOnly: true, secure: true, sameSite: 'strict' });
  return res.json({ message: 'Authenticated' });
});

Output Templates

When implementing security features, provide:

Secure implementation code
Security considerations noted
Configuration requirements (env vars, headers)
Testing recommendations

Knowledge Reference

OWASP Top 10, bcrypt/argon2, JWT, OAuth 2.0, OIDC, CSP, CORS, rate limiting, input validation, output encoding, encryption (AES, RSA), TLS, security headers