From forwward-teams
Provides security defaults for auth and sessions, OWASP Top 10 prevention strategies, HIPAA PHI handling requirements, and SOC 2 trust principles.
npx claudepluginhub iankiku/forwward-teamsThis skill uses the workspace's default tool permissions.
Assume breach. Defense in depth. Least privilege everywhere.
Provides OWASP Top 10 guidance and stack-agnostic principles for secure web apps. Use for code security reviews, auth/authorization implementation, secrets/API key handling, security headers, injection prevention (SQL/XSS/CSRF), and audits.
Audits SaaS apps for vulnerabilities including OWASP Top 10, implements auth best practices with Supabase Auth or Clerk, protects data via env vars and checklists, secures APIs with rate limiting.
Implements security best practices across app stacks including API security, authentication/authorization, input validation, encryption, and monitoring. Covers OWASP Top 10.
Share bugs, ideas, or general feedback.
Assume breach. Defense in depth. Least privilege everywhere.
Every project ships with:
| Control | Implementation |
|---|---|
| Auth | OAuth 2.0 / OIDC via Auth.js or Supabase Auth |
| Sessions | HTTP-only, Secure, SameSite=Strict cookies |
| Passwords | bcrypt/argon2, min 12 chars, no max limit |
| API auth | Bearer tokens with expiry, refresh rotation |
| CORS | Explicit allowlist, never * in production |
| HTTPS | Everywhere. No exceptions. HSTS headers. |
| CSP | Content-Security-Policy header on all pages |
| Rate limiting | Auth endpoints: 5/min. API: 100/min. Adjust per use. |
| Vulnerability | Prevention |
|---|---|
| Injection (SQL, NoSQL, OS) | Parameterized queries, ORMs, never string concat |
| Broken Auth | MFA, session timeouts, account lockout |
| Sensitive Data Exposure | Encrypt at rest + transit, minimize data collection |
| XXE | Disable external entity processing |
| Broken Access Control | Check permissions server-side on every request |
| Security Misconfiguration | Defaults off, hardened configs, no debug in prod |
| XSS | Output encoding, CSP headers, sanitize HTML |
| Insecure Deserialization | Validate and type-check all serialized data |
| Known Vulnerabilities | npm audit, pip audit, automated dependency updates |
| Insufficient Logging | Log auth events, access denied, input validation failures |
Required if handling PHI (Protected Health Information):
| Requirement | Implementation |
|---|---|
| Encryption at rest | AES-256 for databases and file storage |
| Encryption in transit | TLS 1.2+ everywhere |
| Access controls | Role-based, audit-logged, least privilege |
| Audit trail | Every PHI access logged with who, what, when |
| BAA | Business Associate Agreement with every vendor touching PHI |
| Data minimization | Collect only what's clinically necessary |
| Breach notification | 60-day notification requirement — have a plan |
| Employee training | Annual security awareness training |
PHI includes: Names, dates, phone numbers, emails, SSN, medical record numbers, device IDs, biometric data, photos, and any data that could identify a patient.
Vendor checklist:
| Trust Principle | What to Implement |
|---|---|
| Security | Access controls, encryption, firewalls, IDS |
| Availability | Uptime monitoring, incident response, backups |
| Processing Integrity | Input validation, error handling, QA |
| Confidentiality | Encryption, access logging, data classification |
| Privacy | Consent, data retention, deletion, privacy policy |
Start with: Security + Availability. Add others when customers require it.
When reviewing code for security:
npm audit / pip audit clean