From soundcheck
Detects security misconfigurations like permissive CORS, production debug modes, missing security headers, wildcard hosts, and default credentials in server configs and deployments.
npx claudepluginhub thejefflarson/soundcheck --plugin soundcheckThis skill uses the workspace's default tool permissions.
Protects against insecure defaults, overly permissive policies, and missing hardening
Detects security misconfigurations like enabled debug modes, default credentials, missing security headers, exposed endpoints, and TLS issues using grep patterns in Python/Django/Flask, Java/Spring, PHP/Laravel, Go/Gin, Node.js apps.
Audits HTTP security headers like CSP, HSTS, X-Frame-Options; identifies permissive directives; generates secure policies for web apps on Next.js, Express, Nginx, Vercel.
Detects fail-open insecure defaults like hardcoded secrets, weak auth, permissive configs, and env fallbacks that let apps run insecurely in production. For security audits, config reviews, and pre-deployment checks.
Share bugs, ideas, or general feedback.
Protects against insecure defaults, overly permissive policies, and missing hardening that expose the application to cross-origin attacks, credential stuffing, and information disclosure via error pages or debug endpoints.
app.use(cors({ origin: "*", credentials: true })) — wildcard CORS with credentials leaks cookies to any siteapp.run(debug=True) — Flask/Django debug mode exposes interactive traceback console in productionALLOWED_HOSTS = ["*"] — permissive host validation in production. For hardcoded secrets, see hardcoded-secretsStrict-Transport-Security, X-Content-Type-Options, X-Frame-Options headersFlag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:
allow_credentials=true uses an explicit origin allowlist —
never *, never a reflected Origin header. The wildcard-plus-credentials
combination hands every site on the web cookie-authenticated access to your
API; browsers block it in spec, but misconfigured middleware still ships it.debug=True,
DEBUG, RUST_LOG=trace, and equivalent switches come from environment or
config — never hardcoded True. Production-only guards (assert not app.debug) make a misconfigured deploy fail loudly.SecurityMiddleware, tower-http SetResponseHeaderLayer, Spring
HttpSecurity.headers()) before routes. Baseline: Strict-Transport-Security,
X-Content-Type-Options: nosniff, and a framing or CSP control. An upstream
proxy may own these instead — but only if that ownership is documented.* or empty
defaults. Django ALLOWED_HOSTS, trusted-origin lists, and CSRF-trusted
origins are all attacker-reachable when unset.Anchor — shape, not implementation:
app.use(cors({ origins: ALLOWED_ORIGINS, credentials: true })) # not "*"
app.use(security_headers_middleware()) # HSTS + nosniff + frame
assert env("NODE_ENV") != "production" or not DEBUG # fail loudly
Confirm the following properties hold (language-agnostic):
*) or a reflected Origin headerdebug=True, DEBUG, RUST_LOG=trace, verbose error responders, etc.), the value is sourced from an environment variable or config and defaults to off in productionSecurityMiddleware, Rust tower-http::set_header / SetResponseHeaderLayer, Spring HttpSecurity.headers(), etc.) is registered before routes, setting at minimum Strict-Transport-Security, X-Content-Type-Options, and a framing/CSP control — unless the code comments explicitly document that an upstream proxy owns these headers