From forwward-teams
Implements authentication, authorization, encryption, and compliance controls (HIPAA, SOC 2) with defense-in-depth defaults. Activates on auth, encryption, compliance, or security concerns.
How this skill is triggered — by the user, by Claude, or both
Slash command
/forwward-teams:securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Assume breach. Defense in depth. Least privilege everywhere.
Assume breach. Defense in depth. Least privilege everywhere.
Before advising on specific implementations, identify the project's stack (check package.json, go.mod, Gemfile, pyproject.toml, pom.xml, Cargo.toml). Security principles are universal — the libraries that implement them vary. Always recommend the idiomatic solution for the stack in use, not a JavaScript-specific one.
Every project ships with:
| Control | What to implement |
|---|---|
| Auth | OAuth 2.0 / OIDC via the standard library for your stack |
| Sessions | HTTP-only, Secure, SameSite=Strict cookies |
| Passwords | bcrypt or argon2, min 12 chars, no max limit |
| API auth | Bearer tokens with expiry, refresh token rotation |
| CORS | Explicit allowlist, never * in production |
| HTTPS | Everywhere. No exceptions. HSTS headers. |
| CSP | Content-Security-Policy header on all pages |
| Rate limiting | Auth endpoints: 5/min. API: 100/min. Adjust per use. |
| Vulnerability | Prevention |
|---|---|
| Injection (SQL, NoSQL, OS) | Parameterized queries, ORMs, never string concat |
| Broken Auth | MFA, session timeouts, account lockout |
| Sensitive Data Exposure | Encrypt at rest + transit, minimize data collection |
| XXE | Disable external entity processing |
| Broken Access Control | Check permissions server-side on every request |
| Security Misconfiguration | Defaults off, hardened configs, no debug in prod |
| XSS | Output encoding, CSP headers, sanitize HTML |
| Insecure Deserialization | Validate and type-check all serialized data |
| Known Vulnerabilities | Dependency audit tool for your stack (npm audit, pip audit, go mod tidy, bundle audit, etc.) + automated updates |
| Insufficient Logging | Log auth events, access denied, input validation failures |
Required if handling PHI (Protected Health Information):
| Requirement | Implementation |
|---|---|
| Encryption at rest | AES-256 for databases and file storage |
| Encryption in transit | TLS 1.2+ everywhere |
| Access controls | Role-based, audit-logged, least privilege |
| Audit trail | Every PHI access logged with who, what, when |
| BAA | Business Associate Agreement with every vendor touching PHI |
| Data minimization | Collect only what's clinically necessary |
| Breach notification | 60-day notification requirement — have a plan |
| Employee training | Annual security awareness training |
PHI includes: Names, dates, phone numbers, emails, SSN, medical record numbers, device IDs, biometric data, photos, and any data that could identify a patient.
Vendor checklist:
| Trust Principle | What to Implement |
|---|---|
| Security | Access controls, encryption, firewalls, IDS |
| Availability | Uptime monitoring, incident response, backups |
| Processing Integrity | Input validation, error handling, QA |
| Confidentiality | Encryption, access logging, data classification |
| Privacy | Consent, data retention, deletion, privacy policy |
Start with: Security + Availability. Add others when customers require it.
When reviewing code for security:
npx claudepluginhub iankiku/forwward-teamsRuns a 26-gate security pipeline and 7-phase HIPAA audit on any project. Auto-detects technology stack and produces a unified Markdown report.
Audits SaaS apps for vulnerabilities, implements authentication best practices with Supabase/Clerk/NextAuth, protects data via OWASP Top 10 checklists.
Checks code against OWASP Top 10, CWE, NIST, PCI-DSS, HIPAA, GDPR, and secure coding practices. Generates compliance reports with checklists and gap analysis.