Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
Audits SaaS apps for vulnerabilities, implements authentication best practices with Supabase/Clerk/NextAuth, protects data via OWASP Top 10 checklists.
npx claudepluginhub whawkinsiv/solo-founder-superpowers --plugin solo-founder-superpowersHow this skill is triggered — by the user, by Claude, or both
Slash command
/solo-founder-superpowers:secureThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**This skill is for securing your app's code and data.** For regulatory compliance (HIPAA, SOC 2, GDPR), use **compliance**. For pre-launch readiness checks, use **go-live**. For environment variable setup during deployment, use **deploy**. For database-level security (Row Level Security), use **database**.
Guides application security reviews and implementation covering OWASP Top 10, input validation, auth, secrets management, and antipatterns.
Provides a security checklist and patterns for authentication, input validation, secrets management, SQL injection prevention, and other sensitive features.
Hardens code against vulnerabilities using threat modeling (STRIDE) and security best practices. Use when handling user input, authentication, data storage, or external integrations.
Share bugs, ideas, or general feedback.
This skill is for securing your app's code and data. For regulatory compliance (HIPAA, SOC 2, GDPR), use compliance. For pre-launch readiness checks, use go-live. For environment variable setup during deployment, use deploy. For database-level security (Row Level Security), use database.
Claude Code:
Run a security audit on my app. Check for:
- API keys or secrets in code (should be in .env)
- Missing auth on protected routes
- SQL injection risks
- XSS vulnerabilities
- Missing rate limiting
Fix anything you find.
Lovable / Replit / Cursor (paste into chat):
Review my app for security issues. Check these common problems:
1. Are any API keys or passwords hardcoded? Move them to environment variables.
2. Can someone access pages without logging in? Add auth checks.
3. Is user input validated before hitting the database?
4. Are passwords hashed (not stored as plain text)?
5. Is rate limiting set up on API endpoints?
Show me what needs fixing and fix it.
Security Basics:
- [ ] Authentication required for protected routes
- [ ] Passwords hashed (bcrypt/argon2), never stored plain text
- [ ] API keys in environment variables, not code
- [ ] HTTPS only in production
- [ ] Input validated on server side
- [ ] SQL injection prevented (use parameterized queries)
- [ ] XSS prevented (sanitize user input)
- [ ] CSRF tokens on forms
- [ ] Rate limiting on API endpoints
- [ ] User sessions expire (30min-1hr typical)
See COMMON-VULNS.md for detailed checks.
Move to environment variables:
Tell AI:
Store API keys in .env file, not in code.
Add .env to .gitignore.
Access via process.env.API_KEY
Use a service. Don't build this yourself.
| If you use... | Auth solution |
|---|---|
| Supabase | Supabase Auth (built in) |
| Next.js | NextAuth.js or Clerk |
| Lovable | Supabase Auth (Lovable's default) |
| Replit | Replit Auth or Supabase |
If you must build auth yourself (not recommended), the minimums are:
Tell AI:
Set up authentication using [Supabase Auth / NextAuth / Clerk].
I need: email+password signup, email verification, password reset,
and session timeout after 30 minutes of inactivity.
See SECURITY-PROMPTS.md for implementation details.
Always encrypt:
Never log:
Tell AI:
Never log sensitive data.
Replace passwords/tokens with "[REDACTED]" in logs.
Required for all API endpoints:
Tell AI:
Add to all API routes:
- Require valid auth token
- Rate limit: 100 requests/minute per IP
- Validate all inputs (reject invalid)
- Generic error messages (no stack traces to users)
Most common in AI-built apps:
See COMMON-VULNS.md for how to check.
Adding authentication:
Add authentication to this route.
Require valid JWT token.
Return 401 if missing/invalid.
Don't expose error details.
Rate limiting:
Add rate limiting:
- 100 requests/minute per IP
- Return 429 "Too many requests" if exceeded
- Use sliding window, not fixed
Input validation:
Validate all user inputs:
- Email: valid format
- Password: 8+ chars, 1 number, 1 symbol
- Username: alphanumeric only, 3-20 chars
Reject invalid input with clear error message
See SECURITY-PROMPTS.md for more.
Before deploying:
Production Security:
- [ ] All secrets in environment variables
- [ ] HTTPS enforced (no HTTP)
- [ ] Database backups configured
- [ ] Rate limiting on all APIs
- [ ] Error pages don't show stack traces
- [ ] Admin routes protected
- [ ] File uploads validated (type, size)
- [ ] CORS configured (not wildcard "*")
Signs you need expert review:
For most MVPs: Following this checklist is sufficient.
| Mistake | Fix |
|---|---|
| API keys in code | Move to .env |
| No rate limiting | Add to all endpoints |
| Plain text passwords | Use bcrypt |
| HTTP in production | Force HTTPS |
| Accepting all CORS | Whitelist domains |
| No input validation | Validate server-side |
| Detailed error messages | Generic messages only |
Easy security improvements:
Tell AI:
Add helmet.js for security headers.
Configure for production (HTTPS, CSP, XSS protection).
Quick checks:
Exposed secrets:
grep -r "api_key" src/
grep -r "password" src/
# Should only find references to env vars
No auth bypass:
Rate limiting works:
✅ No secrets in code (all in .env) ✅ Can't access protected routes without auth ✅ Passwords hashed, never stored plain text ✅ Rate limiting prevents abuse ✅ HTTPS enforced in production ✅ Input validated on server side