Skill

owasp

Reviews code for OWASP Top 10 vulnerabilities, input validation, auth flows, security headers, CSRF/XSS prevention, and dependency audits.

Python

Javascript

npx claudepluginhub duthaho/claudekit --plugin claudekit

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- Reviewing code for OWASP Top 10 vulnerabilities

Supporting Assets

references/owasp-top10-cheatsheet.mdreferences/patterns.mdreferences/security-headers.mdscripts/security-audit.pytemplates/security-checklist.md

SKILL.md

Similar Skills

security-review

Audits code for OWASP Top 10 vulnerabilities, auth implementations, CORS/CSRF/XSS protections, security headers, dependency risks, and clean code practices like DRY/SOLID. Use before deploy.

9 tools

dev-team-kit-fv

Security Auditing

Audits code security using OWASP Top 10 checklists for input validation, auth/authz, API security, data protection, and logging. Use for secure implementations and vulnerability reviews.

quaestor

security

Conducts security reviews using checklists and patterns for authentication, user input, secrets, API endpoints, SQL injection, XSS/CSRF, and rate limiting.

4 files6 tools

cc-best

Stats

Stars87

Forks54

Last CommitApr 24, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

OWASP Security Patterns

When to Use

Reviewing code for OWASP Top 10 vulnerabilities
Implementing input validation on user-facing endpoints
Adding security headers (CSP, HSTS, X-Frame-Options)
Preventing XSS, SQL injection, CSRF, or SSRF
Auditing authentication or authorization flows
Building endpoints that handle untrusted data
Scanning dependencies for known vulnerabilities (npm audit, pip-audit)
Detecting hardcoded secrets, API keys, or tokens in code

When NOT to Use

Infrastructure security (network, firewall, cloud IAM) — use platform-specific tools
Cryptographic algorithm selection — consult cryptography experts
Compliance frameworks (SOC 2, HIPAA) — security patterns help but don't cover audit requirements

Quick Reference

Topic	Reference	Key content
All security patterns	`references/patterns.md`	Input validation, SQL injection, XSS, CSRF, auth, headers
OWASP Top 10 cheatsheet	`references/owasp-top10-cheatsheet.md`	Quick reference for each vulnerability category
Security headers	`references/security-headers.md`	CSP, HSTS, X-Frame-Options, Referrer-Policy
Security checklist	`references/security-checklist.md`	Pre-deploy security review checklist
Security audit script	`references/security-audit.py`	Automated security scanning utility

Best Practices

Validate all input at the boundary. Use Pydantic (Python) or Zod (TypeScript) for schema validation. Never trust client-side validation alone.
Use parameterized queries exclusively. Never concatenate user input into SQL strings. Use ORM query builders or prepared statements.
Encode output based on context. HTML-encode for HTML, URL-encode for URLs, JSON-encode for JSON. No single encoding fits all contexts.
Set security headers on every response. CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
Use CSRF tokens for state-changing requests. Every POST/PUT/DELETE from a browser form needs a CSRF token.
Apply rate limiting to all public endpoints. Especially authentication, registration, and password reset.
Never expose stack traces or internal errors to clients. Return generic error messages; log details server-side.
Audit dependencies regularly. Run npm audit / pip-audit / safety check in CI.

Common Pitfalls

Relying on client-side validation only — easily bypassed with curl or browser devtools.
Using dangerouslySetInnerHTML or | safe without sanitization — XSS vector.
SQL string concatenation — even "just for this one query" is a SQL injection risk.
Missing CSRF protection on API routes — if cookies are used for auth, CSRF applies.
Overly permissive CORS — Access-Control-Allow-Origin: * with credentials is a security hole.
Logging sensitive data — passwords, tokens, and PII in logs persist in storage and backups.

Related Skills

defense-in-depth — Multi-layer validation so a single-point failure can't cause data corruption
testing — Security test patterns (input validation, authz boundaries)
devops — Container and CI hardening