Security Patterns Skill

Security best practices and patterns for secure development.

See: code-examples.md for Python implementations See: templates.md for checklists and config templates

When This Activates

API key handling
User input validation
File operations
Security-sensitive code
Keywords: "security", "api key", "secret", "validate", "input"

API Keys & Secrets

Environment Variables (REQUIRED)

Rule: Never hardcode secrets. Always use environment variables via .env files.

✅ CORRECT

api_key = os.getenv("ANTHROPIC_API_KEY")

❌ WRONG

api_key = "sk-ant-1234567890abcdef" # NEVER!

See: code-examples.md#api-keys--secrets for full validation code

Input Validation

Path Traversal Prevention

Rule: Always validate paths are within allowed directories.

Use is_relative_to() to prevent ../ attacks

if not file_path.is_relative_to(base_dir): raise ValueError("Path traversal detected")

Command Injection Prevention

Rule: Never use shell=True . Pass arguments as lists.

✅ CORRECT

subprocess.run([command] + args, shell=False)

❌ WRONG

subprocess.run(f"ls {user_input}", shell=True) # Injection risk!

SQL Injection Prevention

Rule: Always use parameterized queries.

✅ CORRECT

cursor.execute("SELECT * FROM users WHERE username = ?", (username,))

❌ WRONG

cursor.execute(f"SELECT * FROM users WHERE username = '{username}'")

See: code-examples.md#input-validation for complete examples

File Operations Security

Secure Permissions

Use Case Permission Octal

Sensitive files rw-------

0o600

Sensitive dirs rwx------

0o700

Public files rw-r--r--

0o644

File Upload Validation

Validate extensions (whitelist only)
Check file size limits
Reject executable files

See: code-examples.md#file-operations-security

Cryptographic Operations

Secure Random

Rule: Use secrets module for security-sensitive random values.

✅ CORRECT

token = secrets.token_hex(32)

❌ WRONG

token = str(random.randint(0, 999999)) # Not cryptographically secure!

See: code-examples.md#cryptographic-operations for password hashing

Logging Security

Rule: Never log full secrets. Mask sensitive values.

✅ CORRECT

masked_key = api_key[:7] + "***" + api_key[-4:] logging.info(f"Using key {masked_key}")

❌ WRONG

logging.info(f"Using key {api_key}") # Exposes full key!

Dependencies Security

Check for vulnerabilities

pip install safety && safety check

OR

pip install pip-audit && pip-audit

Key Takeaways

Never hardcode secrets - Use environment variables
Validate all inputs - User data, file paths, commands
Prevent path traversal - Use is_relative_to()
No shell=True - Use list arguments with subprocess
Parameterized queries - Never string interpolation
Secure random - Use secrets module
Restrict permissions - Files 0o600, dirs 0o700
Mask secrets in logs - Show only first/last few chars
Scan dependencies - Use safety/pip-audit
.gitignore secrets - .env, *.key, *.pem

Related Files

code-examples.md - Complete Python code examples
templates.md - .env, .gitignore, and security checklists

OWASP Top 10 Quick Reference

See: templates.md#owasp-top-10-quick-reference

security-patterns

Safety Notice

Copy this and send it to your AI assistant to learn

✅ CORRECT

❌ WRONG

Use is_relative_to() to prevent ../ attacks

✅ CORRECT

❌ WRONG

✅ CORRECT

❌ WRONG

✅ CORRECT

❌ WRONG

✅ CORRECT

❌ WRONG

Check for vulnerabilities

OR

Source Transparency

Related Skills

library-design-patterns

git-github

scientific-validation