npx claudepluginhub pknull/asha-marketplace --plugin securityThis skill uses the workspace's default tool permissions.
Comprehensive security checklist for web applications.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Checks Next.js compilation errors using a running Turbopack dev server after code edits. Fixes actionable issues before reporting complete. Replaces `next build`.
Comprehensive security checklist for web applications.
.env files in .gitignore// BAD
const apiKey = 'sk-proj-xxxxx';
// GOOD
const apiKey = process.env.OPENAI_API_KEY;
if (!apiKey) throw new Error('OPENAI_API_KEY not configured');
const userSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
age: z.number().int().min(0).max(150)
});
const validated = userSchema.parse(input);
// BAD
const query = `SELECT * FROM users WHERE id = ${userId}`;
// GOOD
const query = `SELECT * FROM users WHERE id = $1`;
await db.query(query, [userId]);
// Secure cookie settings
res.cookie('session', token, {
httpOnly: true,
secure: true,
sameSite: 'strict',
maxAge: 3600000
});
// Always verify ownership
const resource = await getResource(id);
if (resource.ownerId !== currentUser.id) {
throw new ForbiddenError();
}
dangerouslySetInnerHTML with user dataimport DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userInput, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a'],
ALLOWED_ATTR: ['href']
});
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // 100 requests per window
standardHeaders: true
});
// Stricter for auth
const authLimiter = rateLimit({
windowMs: 60 * 60 * 1000,
max: 5 // 5 attempts per hour
});
// BAD
res.status(500).json({ error: err.stack });
// GOOD
log.error('Database error', { error: err, userId });
res.status(500).json({ error: 'An error occurred' });
Strict-Transport-Security (HSTS)Content-Security-PolicyX-Content-Type-Options: nosniffX-Frame-Options: DENYReferrer-Policy: strict-origin-when-cross-originnpm audit / pip-audit clean| Risk | Prevention |
|---|---|
| Injection | Parameterized queries |
| Broken Auth | Strong sessions, MFA |
| Sensitive Data Exposure | Encryption, minimal data |
| XXE | Disable external entities |
| Broken Access Control | Default deny, verify ownership |
| Misconfiguration | Secure defaults, hardening |
| XSS | Output encoding, CSP |
| Insecure Deserialization | Validate before deserialize |
| Vulnerable Components | Audit, update regularly |
| Insufficient Logging | Audit trails, monitoring |
Always require re-authentication for:
| Pattern | Risk |
|---|---|
eval() with user input | Code injection |
shell=True with user input | Command injection |
| Regex from user input | ReDoS |
pickle.loads() untrusted data | Arbitrary code execution |
| JWT in localStorage | XSS token theft |
Weak random (Math.random()) | Predictable tokens |