This skill should be used when the user requests to audit, check, or improve application security by analyzing security headers, cookie configuration, RLS policies, input sanitization, rate limiting, and other security measures. It generates a comprehensive security audit report with actionable recommendations. Trigger terms include security audit, security check, harden security, security review, vulnerability check, security headers, secure cookies, input validation, rate limiting, security best practices.
Performs comprehensive security audits by analyzing headers, cookies, RLS policies, input validation, and rate limiting. Triggers on requests like "security audit" or "harden security" to generate actionable reports with fix scripts.
/plugin marketplace add hopeoverture/worldbuilding-app-skills/plugin install security-hardening-checklist@worldbuilding-app-skillsThis skill is limited to using the following tools:
To perform a comprehensive security audit and generate hardening recommendations, follow these steps systematically.
Identify the project structure and tech stack:
Use Glob to find key files:
package.json - Dependencies and scriptsnext.config.* - Next.js configurationmiddleware.ts - Middleware setupapp/**/*.{ts,tsx} - Application routes.env.example - Environment variablesIdentify authentication provider (Supabase, NextAuth, Clerk, etc.)
Identify database type (PostgreSQL, MySQL, MongoDB, etc.)
Check for security libraries (helmet, rate-limit, etc.)
Check for security headers configuration.
Use Grep to search for security headers in next.config.js/ts:
- "X-Frame-Options"
- "X-Content-Type-Options"
- "X-XSS-Protection"
- "Strict-Transport-Security"
- "Content-Security-Policy"
- "Referrer-Policy"
- "Permissions-Policy"
Consult references/security-headers.md and create configuration:
// next.config.ts
const securityHeaders = [
{
key: 'X-DNS-Prefetch-Control',
value: 'on'
},
{
key: 'Strict-Transport-Security',
value: 'max-age=63072000; includeSubDomains; preload'
},
{
key: 'X-Frame-Options',
value: 'SAMEORIGIN'
},
{
key: 'X-Content-Type-Options',
value: 'nosniff'
},
{
key: 'X-XSS-Protection',
value: '1; mode=block'
},
{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin'
},
{
key: 'Permissions-Policy',
value: 'camera=(), microphone=(), geolocation=()'
}
]
const nextConfig = {
async headers() {
return [
{
source: '/:path*',
headers: securityHeaders,
},
]
},
}
Check cookie configuration for auth and session management.
Use Grep to search for cookie operations:
- "setCookie"
- "cookies().set"
- "document.cookie"
- "res.cookie"
Check for:
httpOnly: true - Prevents JavaScript accesssecure: true - HTTPS onlysameSite: 'strict' or 'lax' - CSRF protection// lib/cookies.ts
import { cookies } from 'next/headers'
export function setSecureCookie(
name: string,
value: string,
maxAge: number = 3600
) {
cookies().set(name, value, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
maxAge,
path: '/',
})
}
For Supabase/PostgreSQL projects, audit Row-Level Security.
Search for migration files or schema files:
-- Check if RLS is enabled
ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;
Use Grep to find table definitions and check which lack RLS policies.
Consult references/rls-checklist.md for comprehensive checks.
Check for unsafe input handling.
Use Grep to find potential SQL injection risks:
- "`.query(`"
- "`${" (template literals in queries)
- "raw("
Search for form handlers without validation:
- "formData.get("
- "request.json()"
- "params."
Check if forms use Zod or similar validation:
- "z.object"
- "safeParse"
- "parse"
// lib/validations/common.ts
import { z } from 'zod'
// Sanitize HTML input
export const sanitizeHtml = (input: string): string => {
return input
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''')
.replace(/\//g, '/')
}
// Common validation schemas
export const emailSchema = z.string().email()
export const urlSchema = z.string().url()
export const uuidSchema = z.string().uuid()
export const slugSchema = z.string().regex(/^[a-z0-9-]+$/)
Check for rate limiting on API routes and actions.
Search package.json for:
@upstash/ratelimitexpress-rate-limitrate-limiter-flexibleUse Glob to find all API routes:
app/api/**/route.ts
Search each for rate limiting code.
// lib/rate-limit.ts
import { Ratelimit } from '@upstash/ratelimit'
import { Redis } from '@upstash/redis'
export const authRateLimit = new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(5, '1 m'),
prefix: 'ratelimit:auth',
})
export const apiRateLimit = new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(100, '1 m'),
prefix: 'ratelimit:api',
})
// Usage in API route
export async function POST(request: Request) {
const ip = request.headers.get('x-forwarded-for') ?? 'unknown'
const { success } = await authRateLimit.limit(ip)
if (!success) {
return new Response('Rate limit exceeded', { status: 429 })
}
// Handle request
}
Check for exposed secrets and proper env var handling.
Verify sensitive variables are not committed:
Use Grep to find potential hardcoded secrets:
- "password.*=.*['\"]"
- "secret.*=.*['\"]"
- "api[-_]?key.*=.*['\"]"
- "token.*=.*['\"]"
Search for env vars used in client components:
- "process.env" in files with "use client"
Only NEXT_PUBLIC_* vars should be in client code.
Verify HTTPS is enforced.
Use Grep to find insecure URLs:
- "http://" (not in comments)
Look for HTTPS enforcement in middleware.
// middleware.ts
export function middleware(request: NextRequest) {
// Enforce HTTPS in production
if (
process.env.NODE_ENV === 'production' &&
request.headers.get('x-forwarded-proto') !== 'https'
) {
return NextResponse.redirect(
`https://${request.headers.get('host')}${request.nextUrl.pathname}`,
301
)
}
// Other middleware logic
}
Check CORS configuration for API routes.
Use Grep to find CORS configuration:
- "Access-Control-Allow-Origin"
- "cors("
Flag Access-Control-Allow-Origin: * in production.
// lib/cors.ts
export function setCorsHeaders(
response: NextResponse,
allowedOrigins: string[]
) {
const origin = request.headers.get('origin')
if (origin && allowedOrigins.includes(origin)) {
response.headers.set('Access-Control-Allow-Origin', origin)
response.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE')
response.headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization')
response.headers.set('Access-Control-Max-Age', '86400')
}
return response
}
Check for vulnerable dependencies.
npm audit --json
npm outdated
Identify packages with known security issues.
Create comprehensive security audit report using template from assets/security-report-template.md:
# Security Audit Report
**Generated**: [timestamp]
**Project**: [project name]
## Executive Summary
**Overall Security Score**: X/100
- Critical Issues: X
- High Priority: X
- Medium Priority: X
- Low Priority: X
## Critical Issues (Fix Immediately)
### 1. Missing Security Headers
**Severity**: Critical
**Impact**: Application vulnerable to XSS, clickjacking
**Fix**: Add security headers to next.config.ts
### 2. No Rate Limiting on Auth Endpoints
**Severity**: Critical
**Impact**: Vulnerable to brute force attacks
**Fix**: Implement rate limiting
[Continue for all issues...]
## Recommendations
1. Security Headers
2. Cookie Security
3. RLS Policies
4. Input Validation
5. Rate Limiting
6. HTTPS Enforcement
7. Environment Variables
8. Dependency Updates
## Implementation Checklist
- [ ] Add security headers
- [ ] Configure secure cookies
- [ ] Enable RLS on all tables
- [ ] Add input validation
- [ ] Implement rate limiting
- [ ] Enforce HTTPS
- [ ] Audit environment variables
- [ ] Update vulnerable dependencies
Create scripts to automate security improvements:
// scripts/add-security-headers.ts
// Automatically adds security headers to next.config
# scripts/enable-rls.sql
# SQL script to enable RLS on all tables
Throughout audit:
references/security-headers.md for header configurationreferences/rls-checklist.md for database securityreferences/owasp-top-10.md for common vulnerabilitiesassets/security-report-template.mdGenerate files:
reports/
security-audit-[timestamp].md
fixes/
security-headers.ts
rate-limiting.ts
input-validation.ts
scripts/
enable-rls.sql
fix-cookies.ts
Before completing audit:
When finished:
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.