Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From prodsec-skills
Reviews web application security controls against OWASP-aligned risks for server-side apps handling user input, sessions, authentication, or access control.
npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:web-application-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
| Category | Threats |
Guides application security reviews and implementation covering OWASP Top 10, input validation, auth, secrets management, and antipatterns.
<!-- AUTO-GENERATED by export-plugins.py — DO NOT EDIT -->
Audits web applications and REST APIs for OWASP Top 10 vulnerabilities including broken access control, authentication failures, data protection, and configuration issues. Use when reviewing code, auth/authz, APIs, or before deployment.
Share bugs, ideas, or general feedback.
| Category | Threats |
|---|---|
| Input validation | Command injection, SQL injection, Cross-Site Scripting (XSS) |
| Upload handling | Local File Inclusion (LFI), Remote File Inclusion (RFI) |
| Session management | Man-in-the-Middle (MITM), session fixation, session hijacking |
| Data exposure | Cleartext data theft, insecure storage, cache leaks |
| Authentication | Credential stuffing, brute force, account enumeration |
| Access control | Privilege escalation, IDOR, missing function-level checks |
All security controls MUST be implemented server-side. Client-side validation is a UX convenience, not a security boundary. This applies to:
*) origins on endpoints that accept credentialsOrigin header server-side before reflecting itprotect_from_forgery)SameSite cookie attributes as a defense-in-depth layerCache-Control: no-store)Cache-Control: no-store