From auth
Audits and hardens authentication code against security best practices. Covers credential storage, error handling, sessions, input validation, OAuth/OIDC, MFA/passkeys, rate limiting, CSRF, and HTTP headers.
npx claudepluginhub himself65/auth-specThis skill uses the workspace's default tool permissions.
You are auditing and hardening authentication code against modern (2024-2026) security best practices.
Audits authentication in web apps/APIs: password hashing, JWT handling, sessions, OAuth flows, MFA, and account controls against OWASP/NIST standards.
Audits code security using OWASP Top 10 checklists for input validation, auth/authz, API security, data protection, and logging. Use for secure implementations and vulnerability reviews.
Audits web applications and REST APIs for OWASP Top 10 vulnerabilities including broken access control, authentication failures, data protection, and configuration issues. Use when reviewing code, auth/authz, APIs, or before deployment.
Share bugs, ideas, or general feedback.
You are auditing and hardening authentication code against modern (2024-2026) security best practices.
Individual security rules are in the rules/ directory, organized by impact priority. Read rules/_sections.md for the full taxonomy, and read individual rule files for checklists and fix patterns.
Critical Impact:
rules/credential-storage.md — Password hashing (argon2id first), HIBP breach-check, pepper, secret managementrules/error-handling.md — User enumeration, timing attacks, status/size symmetry, stack trace leaksHigh Impact:
rules/session-security.md — Token generation, __Host-/Partitioned cookies, JWT pitfalls, session fixation, rotation on state changerules/input-validation.md — SQL/NoSQL injection, XSS, SSRF, open redirect, schema validationrules/oauth-oidc.md — Code + PKCE, state/nonce, redirect-URI allow-list, account-linking pre-takeoverrules/mfa-passkeys.md — TOTP replay prevention, WebAuthn verification, step-up, recovery codesrules/token-lifecycle.md — Password reset, email verification, magic link, OTP hashing & one-time useMedium Impact:
rules/rate-limiting.md — Multi-dim throttling (account + IP), SMS pumping, credential stuffingrules/csrf-protection.md — Origin / Fetch-Metadata, double-submit, SameSite caveats, CORS pitfallsLower Priority:
rules/http-security-headers.md — HSTS, nonce-CSP, COOP/COEP/CORP, Clear-Site-Data, Trusted TypesBefore starting, scan the user's project to understand their stack:
next.config.*, package.json, go.mod, Cargo.toml, pyproject.toml, build.gradle*, pom.xml)Use the AskUserQuestion tool to ask the user what they want to harden. Use multiSelect: true so they can pick multiple areas at once.
Ask "Which security areas do you want to audit and harden?" with header "Security audit scope".
For each selected area, read the corresponding rule file from rules/ and review the user's code against its checklist. Report findings as:
After the audit, apply fixes directly to the code. For each fix, explain what was wrong and why the fix is necessary. Link to the relevant rule file for reference.
After applying fixes, produce a summary table:
| Area | Status | Issues Found | Fixed |
|---|---|---|---|
| Credential storage | PASS/FAIL | description | Yes/No |
| Session security | PASS/FAIL | description | Yes/No |
| OAuth / OIDC | PASS/FAIL | description | Yes/No |
| MFA & passkeys | PASS/FAIL | description | Yes/No |
| Token lifecycle | PASS/FAIL | description | Yes/No |
| ... | ... | ... | ... |
For any issues that cannot be auto-fixed (e.g., require infrastructure changes like adding Redis for rate limiting, configuring HSTS preload at the edge, registering OAuth redirect URIs with the IdP), list them as manual action items with clear instructions.
After applying fixes:
SameSite=Strict and the __Host- prefix, do not loosen them.argon2, helmet, @simplewebauthn/server, hibp), ask the user before adding it.helmet middleware in Express, SecurityFilterChain in Spring Boot, middleware in Go/Chi).Content-Security-Policy can break the application. Start in report-only mode, collect violations for 1–2 weeks, then enforce.