application-security

OWASP Top 10 with code examples, SAST/DAST tools, dependency scanning, CSP headers, and input validation patterns. Use when hardening applications, reviewing security posture, or implementing defensive coding practices.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "application-security" with this command: npx skills add travisjneuman/.claude/travisjneuman-claude-application-security

Application Security Skill

Secure coding patterns, vulnerability prevention, and security tooling for web applications.

OWASP Top 10 (2021) with Code Examples

A01: Broken Access Control

// BAD - No authorization check
app.get('/api/users/:id', async (req, res) => {
  const user = await db.user.findUnique({ where: { id: req.params.id } });
  res.json(user);
});

// GOOD - Verify ownership or role
app.get('/api/users/:id', authenticate, async (req, res) => {
  if (req.user.id !== req.params.id && req.user.role !== 'ADMIN') {
    return res.status(403).json({ error: 'Forbidden' });
  }
  const user = await db.user.findUnique({ where: { id: req.params.id } });
  res.json(user);
});

A02: Cryptographic Failures

// BAD - Weak hashing
import crypto from 'crypto';
const hash = crypto.createHash('md5').update(password).digest('hex');

// GOOD - Use bcrypt with proper rounds
import bcrypt from 'bcrypt';
const hash = await bcrypt.hash(password, 12);
const isValid = await bcrypt.compare(password, hash);

A03: Injection

// BAD - SQL injection
const query = `SELECT * FROM users WHERE email = '${email}'`;

// GOOD - Parameterized queries (Prisma handles this automatically)
const user = await prisma.user.findUnique({ where: { email } });

// GOOD - Parameterized raw SQL when needed
const users = await prisma.$queryRaw`SELECT * FROM users WHERE email = ${email}`;

A07: Cross-Site Scripting (XSS)

// BAD - Rendering raw HTML
element.innerHTML = userInput;

// GOOD - Use textContent or framework escaping
element.textContent = userInput;

// GOOD - React auto-escapes by default
return <div>{userInput}</div>;

// BAD in React - dangerouslySetInnerHTML
return <div dangerouslySetInnerHTML={{ __html: userInput }} />;

Content Security Policy (CSP)

Recommended Headers

// Next.js middleware
import { NextResponse } from 'next/server';

export function middleware(request: Request) {
  const nonce = crypto.randomUUID();
  const csp = [
    `default-src 'self'`,
    `script-src 'self' 'nonce-${nonce}'`,
    `style-src 'self' 'unsafe-inline'`,
    `img-src 'self' data: https:`,
    `font-src 'self'`,
    `connect-src 'self' https://api.example.com`,
    `frame-ancestors 'none'`,
    `base-uri 'self'`,
    `form-action 'self'`,
  ].join('; ');

  const response = NextResponse.next();
  response.headers.set('Content-Security-Policy', csp);
  response.headers.set('X-Content-Type-Options', 'nosniff');
  response.headers.set('X-Frame-Options', 'DENY');
  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
  response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
  return response;
}

SAST/DAST Tooling

Static Analysis (SAST)

ToolLanguageUsage
ESLint security pluginsJS/TSeslint-plugin-security, @microsoft/eslint-plugin-sdl
SemgrepMultisemgrep --config=auto .
BanditPythonbandit -r src/
gosecGogosec ./...
cargo-auditRustcargo audit

Dynamic Analysis (DAST)

ToolPurposeUsage
OWASP ZAPWeb app scanningProxy-based scanner, API scan mode
NucleiVulnerability scanningTemplate-based scanner
Burp SuiteManual + automatedProfessional penetration testing

Dependency Scanning

# Node.js
npm audit
npm audit fix

# Python
pip-audit
safety check

# Go
govulncheck ./...

# Rust
cargo audit

Input Validation Patterns

Server-Side Validation (Always Required)

import { z } from 'zod';

const CreateUserSchema = z.object({
  email: z.string().email().max(255),
  name: z.string().min(1).max(100).regex(/^[a-zA-Z\s'-]+$/),
  age: z.number().int().min(0).max(150).optional(),
});

function createUser(input: unknown) {
  const validated = CreateUserSchema.parse(input);
  // validated is now typed and safe
}

Rate Limiting

import rateLimit from 'express-rate-limit';

const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // 5 attempts per window
  message: 'Too many login attempts, please try again later',
  standardHeaders: true,
  legacyHeaders: false,
});

app.use('/api/auth/login', authLimiter);

Security Checklist

  • All user input validated server-side
  • Parameterized queries for all database operations
  • CSP headers configured
  • Rate limiting on auth endpoints
  • CORS properly restricted
  • Secrets in environment variables, not code
  • Dependencies scanned for vulnerabilities
  • Authentication tokens in httpOnly cookies
  • HTTPS enforced in production
  • Error messages don't leak internal details

Related Resources

  • ~/.claude/docs/reference/checklists/security-hardening.md - Security hardening checklist
  • ~/.claude/agents/security-auditor.md - Security audit agent
  • ~/.claude/skills/authentication-patterns/SKILL.md - Auth patterns

Secure by default. Validate at boundaries. Defense in depth.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

security

No summary provided by upstream source.

Repository SourceNeeds Review
-32
travisjneuman
Security

seo-analytics-auditor

No summary provided by upstream source.

Repository SourceNeeds Review
-30
travisjneuman
General

document-skills

No summary provided by upstream source.

Repository SourceNeeds Review
-653
travisjneuman