Skill

auth-security

Authentication and security patterns - JWT, OAuth, sessions, RBAC, input validation. Auto-loaded when working with auth, middleware, or security files.

npx claudepluginhub littlelingo/context-engine --plugin context-engine

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- Store JWTs in httpOnly cookies (not localStorage) for web apps

SKILL.md

Similar Skills

cache-components

139.3k

Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.

cache-components

mcp-builder

124.2k

Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).

9 files

anthropics-skills-13

canvas-design

124.2k

Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.

20 files

anthropics-skills-13

Stats

Stars1

Forks0

Last CommitMar 29, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Authentication & Security

Token Handling

Store JWTs in httpOnly cookies (not localStorage) for web apps

Short-lived access tokens (15min), longer refresh tokens (7d)

Always validate token signature AND expiration AND issuer

Revocation: maintain a blocklist or use short-lived tokens

Password Security

bcrypt or argon2 for hashing (NEVER MD5/SHA for passwords)

Minimum 12 characters, check against breach databases

Rate-limit login attempts (5 per minute per IP)

Generic error messages: "Invalid credentials" (don't reveal which field)

Input Validation

Validate at the boundary (API entry point), not deep in business logic

Whitelist valid patterns, don't blacklist bad ones

Sanitize for the output context (HTML escape for web, parameterize for SQL)

File uploads: validate MIME type, size, and scan for malware

Authorization

Check permissions on every request, not just the first

Default deny - explicitly grant access, never implicitly allow

Server-side authorization always (client-side is for UX only)

Log all authorization failures for security monitoring

Secrets

Never commit secrets to git (use .env + .gitignore)

Use environment variables or secret managers (Vault, AWS SSM)

Rotate secrets regularly, especially after team member departures

Different secrets per environment (dev, staging, production)

OWASP Top 10 Quick Check

SQL Injection: parameterized queries always

XSS: escape output, use CSP headers

CSRF: anti-CSRF tokens for state-changing requests

Broken auth: session fixation, credential stuffing protection

SSRF: validate and restrict outbound URLs