From stackblitz-pack
Provides security checklist and code for StackBlitz WebContainer deployments: CSP headers, sandbox isolation, TypeScript input validation. For WebContainers or StackBlitz SDK.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin stackblitz-packThis skill is limited to using the following tools:
Secure WebContainer deployments: CSP headers, sandbox isolation, input validation.
Installs WebContainer API and StackBlitz SDK for browser-based Node.js and project embedding. Configures COOP/COEP headers for Vite/Express servers.
Implements secure frontend coding practices for XSS prevention, output sanitization, safe DOM manipulation, CSP configuration, and client-side security patterns.
Implements secure frontend coding practices for XSS prevention, safe DOM manipulation, output sanitization with DOMPurify, CSP configuration, and client-side security code reviews.
Share bugs, ideas, or general feedback.
Secure WebContainer deployments: CSP headers, sandbox isolation, input validation.
WebContainers run in the browser sandbox -- no access to host filesystem, network is limited to HTTP, and all code runs in the user's browser tab. Key security points:
// WebContainers are inherently sandboxed:
// - No file system access to host
// - No raw network sockets
// - Memory isolated to browser tab
// - Cross-origin isolation via COOP/COEP headers
// If users can provide code to run in WebContainer, validate:
function sanitizeFileTree(tree: FileSystemTree): FileSystemTree {
const sanitized: FileSystemTree = {};
for (const [name, entry] of Object.entries(tree)) {
// Block path traversal
if (name.includes('..') || name.startsWith('/')) continue;
// Block sensitive files
if (name === '.env' || name.endsWith('.key')) continue;
sanitized[name] = entry;
}
return sanitized;
}
Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; frame-src https://*.webcontainer.io;
For production, see stackblitz-prod-checklist.