From claude-resources
Security-by-DESIGN discipline for feature design — threat modeling, authz/authn design, secrets management, input validation at boundaries, OWASP Top 10 awareness. Use when starting to design any feature that handles user input, authentication, authorization, stored data (especially PII or credentials), or external I/O. Trigger on any task mentioning "auth", "login", "permissions", "secrets", "tokens", "user input", "API endpoint", "threat model", or "security review". NOT the review-time checklist — that lives in `core/code-review` §4. Use this skill BEFORE code exists, to prevent issues the checklist would only catch later.
npx claudepluginhub deandum/claude-resources --plugin go-skillsThis skill uses the workspace's default tool permissions.
Security is a design discipline, not a review checklist. By the time code is in review, the important security decisions have already been made — or already missed. This skill is the design-time discipline. For the review-time checklist, see `core/code-review` §4 Security.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Guides agent creation for Claude Code plugins with file templates, frontmatter specs (name, description, model), triggering examples, system prompts, and best practices.
Security is a design discipline, not a review checklist. By the time code is in review, the important security decisions have already been made — or already missed. This skill is the design-time discipline. For the review-time checklist, see core/code-review §4 Security.
For every new feature, answer:
If you cannot answer any of these, you are not ready to implement.
The boundary is where the system meets something it does not control — HTTP handlers, CLI arg parsers, message consumers, database rows loaded from external data. At the boundary:
Inside the boundary, trust the types. Revalidating everywhere is noise that hides the one place where validation was missed.
Every protected action answers two questions:
Authentication lives at the edge. Authorization lives at each protected action. Never conflate them. Never infer one from the other.
Design authorization up front:
Defense in depth: put authorization close to the data. A handler check that is bypassed by a service call is not defense.
Secrets — API keys, DB passwords, signing keys, tokens — are not config:
git rebase)Secrets come from a secrets manager or environment variables injected at runtime. Always.
When authorization fails, return as little information as possible to the caller. "Not found" is often safer than "forbidden" because it does not reveal existence.
When security events happen (failed auth, denied access, rate-limit trip), log them with enough context for forensics — but scrub PII and secrets from the log line itself.
Cycle through the current OWASP Top 10 for every new feature. Ask whether the design is vulnerable to each — not whether the code is. Design catches issues the implementation cannot.
| Shortcut | Reality |
|---|---|
| "We'll add auth later — it's internal for now." | "Internal for now" is how data breaches start. Design auth in from day one, even if the initial check is permissive. |
| "The frontend validates it, so the API doesn't have to." | The frontend is a suggestion. The API is the contract. Validate at the API. |
| "This secret is only in a config file." | Config files get committed, printed, emailed, left on laptops. Secrets go in a secrets manager. |
| "The threat model is obvious." | If it were obvious, there would be no security incidents. Write it down. |
| "Logging the request body will help debug." | It will also log the user's password when they typo into the email field. Scrub first. |