Run any Skill in Manus with one click

web-security-hardening

Stars1

Forks0

UpdatedMarch 18, 2026 at 06:24

Security audit checklist for web applications. Use when reviewing, auditing, or hardening a web app's security posture. Covers rate limiting, auth headers, IP blocking, CORS, security middleware, input validation, file upload limits, ORM usage, and password hashing. Triggers on requests like "review security", "harden this app", "security audit", "check for vulnerabilities", or when building/reviewing API endpoints.

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

Run Skill in Manus

Source

dtsong

dtsong/claude-code-wsl-setup

View GitHub Repository View Creator Repositories

Download

Run Skill in Manus

Related occupationsSOC

Based on SOC occupation classification

Information Security AnalystsComputer and Mathematical Occupations·SOC 15-1212

File Explorer

6 files

SKILL.md

readonly

name

web-security-hardening

description

Web Security Hardening

Security audit checklist for web applications. Run through each item when reviewing or building web apps.

Audit Workflow

Identify the framework (Node.js/Express, Python/Django/Flask, etc.)
Review each checklist item below
For implementation details, see framework-specific references:
- Node.js/Express: See references/nodejs.md
- Python/Django/Flask: See references/python.md
For production deployments, see references/production-gcp.md for extended checklist covering:
- GCP infrastructure (IAM, networking, secrets)
- CI/CD pipeline security
- Monitoring & incident response
Report findings with severity and remediation steps

Security Checklist

1. Rate Limiting

Risk: DoS attacks, brute force attempts, API abuse

Check for:

Per-endpoint rate limits (stricter on auth endpoints)
Rate limit headers in responses (X-RateLimit-*)
Appropriate limits for different user tiers

2. Security & Authorization Headers

Risk: XSS, clickjacking, MIME sniffing, info leakage

Required headers:

Strict-Transport-Security (HSTS)
X-Content-Type-Options: nosniff
X-Frame-Options: DENY or SAMEORIGIN
Content-Security-Policy
Authorization header validation on protected routes

3. IP Block List (Public APIs)

Risk: Abuse from known bad actors, bot traffic

Check for:

IP-based blocking mechanism
Integration with threat intelligence feeds (optional)
Logging of blocked requests

4. CORS Configuration

Risk: Unauthorized cross-origin requests, data theft

Check for:

Explicit origin whitelist (not * in production)
Appropriate methods and headers allowed
Credentials handling if needed

5. Security Middleware

Risk: Common web vulnerabilities

Check for framework-appropriate middleware:

Node.js: helmet
Python: django-secure, flask-talisman
Sets multiple security headers automatically

6. Input Validation

Risk: Injection attacks, data corruption, XSS

Check for:

Frontend validation (UX, not security)
Backend validation (required for security)
Schema validation libraries (Zod, Joi, Pydantic, etc.)
Sanitization of user input before storage/display

7. File Upload Limits

Risk: Storage exhaustion, malicious file uploads

Check for:

Max file size limits
Allowed file type restrictions (MIME + extension)
File content validation (magic bytes)
Secure storage location (outside webroot)

8. ORM for Database Access

Risk: SQL injection

Check for:

Parameterized queries (never string concatenation)
ORM usage (Prisma, Sequelize, SQLAlchemy, Django ORM)
If raw SQL needed: prepared statements only

9. Password Hashing

Risk: Credential theft, rainbow table attacks

Check for:

Strong algorithm: bcrypt, Argon2, or scrypt
Appropriate cost factor (bcrypt rounds ≥10)
No MD5, SHA1, or plain SHA256 for passwords
No plaintext password storage or logging

Gotchas

CORS credentials: true + origin: '*' fails silently in browsers — must specify explicit origin when using credentials
helmet() defaults changed between v4 and v5 — CSP is no longer set by default in v5, must configure explicitly
CSP unsafe-inline negates most XSS protection — if you need inline scripts, use nonces or hashes instead
express.json() without limit accepts arbitrarily large payloads — always set limit: '1mb' or similar
httpOnly cookies prevent XSS token theft but NOT CSRF — still need CSRF tokens or SameSite=Strict
Rate limiting per IP fails behind reverse proxies — must set trust proxy and use X-Forwarded-For
bcrypt silently truncates passwords at 72 bytes — use Argon2 for long passphrases or pre-hash with SHA-256

// WRONG: credentials with wildcard origin (silently fails)
app.use(cors({ origin: '*', credentials: true }));
// RIGHT: explicit origin
app.use(cors({ origin: 'https://app.example.com', credentials: true }));

// WRONG: helmet v5 without CSP (no longer set by default)
app.use(helmet());
// RIGHT: explicit CSP
app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"] } } }));

Audit Report Format

## Security Audit: [App Name]

### Summary
- **Items Passing**: X/9
- **Critical Issues**: X
- **Recommendations**: X

### Findings

#### [Item Name] - [PASS/FAIL/PARTIAL]
**Severity**: Critical/High/Medium/Low
**Finding**: [Description]
**Location**: [File/endpoint]
**Remediation**: [Steps to fix]

More from this repository

same repository

git-workflows

dtsong/claude-code-wsl-setup

Local git operations for syncing, branching, merging, and conflict resolution

2026-03-181

github-workflow

dtsong/claude-code-wsl-setup

GitHub interactions for issues, PRs, releases, and repository management

2026-03-181

soc-security-skills

dtsong/claude-code-wsl-setup

Use this skill when performing hardware security analysis for System-on-Chip components — threat modeling, verification scaffolding, compliance mapping, executive briefing, microarchitectural attack analysis, physical side-channel assessment, kernel security analysis, emerging hardware security, or TLA+ formal specification. Routes to the appropriate specialist. Trigger phrases include "threat model my SoC", "run STRIDE analysis", "generate SVA assertions", "compliance check against FIPS", "executive summary of findings", "Spectre analysis for cache", "DPA attack assessment", "kernel hardening review", "PQC hardware review", "TLA+ spec for access control". Do NOT use for software-only security, network security, or web application security.

2026-03-181

terraform-skill

dtsong/claude-code-wsl-setup

Use when working with Terraform or OpenTofu - creating modules, writing tests (native test framework, Terratest), setting up CI/CD pipelines, reviewing configurations, choosing between testing approaches, debugging state issues, implementing security scanning (trivy, checkov), or making infrastructure-as-code architecture decisions

2026-03-181

ai-data-integration

dtsong/claude-code-wsl-setup

Use this skill when connecting AI or LLMs to data platforms. Covers MCP servers for warehouses, natural-language-to-SQL, embeddings for data discovery, LLM-powered enrichment, and AI agent data access patterns. Common phrases: "text-to-SQL", "MCP server for Snowflake", "LLM data enrichment", "AI agent access". Do NOT use for general data integration (use data-integration) or dbt modeling (use dbt-transforms).

2026-03-081

evaluate-diagram

dtsong/claude-code-wsl-setup

Use this skill when scoring or comparing a generated diagram against a human reference. Triggers on "score this diagram", "evaluate my diagram", "compare to reference", or "how accurate is this". Applies when both a generated diagram and a reference image exist and quality assessment is needed. Do NOT use for creating new diagrams (use generate-diagram) or plotting data (use generate-plot).

2026-03-081

name

web-security-hardening

description

Web Security Hardening

Security audit checklist for web applications. Run through each item when reviewing or building web apps.

Audit Workflow

Identify the framework (Node.js/Express, Python/Django/Flask, etc.)
Review each checklist item below
For implementation details, see framework-specific references:
- Node.js/Express: See references/nodejs.md
- Python/Django/Flask: See references/python.md
For production deployments, see references/production-gcp.md for extended checklist covering:
- GCP infrastructure (IAM, networking, secrets)
- CI/CD pipeline security
- Monitoring & incident response
Report findings with severity and remediation steps

Security Checklist

1. Rate Limiting

Risk: DoS attacks, brute force attempts, API abuse

Check for:

Per-endpoint rate limits (stricter on auth endpoints)
Rate limit headers in responses (X-RateLimit-*)
Appropriate limits for different user tiers

2. Security & Authorization Headers

Risk: XSS, clickjacking, MIME sniffing, info leakage

Required headers:

Strict-Transport-Security (HSTS)
X-Content-Type-Options: nosniff
X-Frame-Options: DENY or SAMEORIGIN
Content-Security-Policy
Authorization header validation on protected routes

3. IP Block List (Public APIs)

Risk: Abuse from known bad actors, bot traffic

Check for:

IP-based blocking mechanism
Integration with threat intelligence feeds (optional)
Logging of blocked requests

4. CORS Configuration

Risk: Unauthorized cross-origin requests, data theft

Check for:

Explicit origin whitelist (not * in production)
Appropriate methods and headers allowed
Credentials handling if needed

5. Security Middleware

Risk: Common web vulnerabilities

Check for framework-appropriate middleware:

Node.js: helmet
Python: django-secure, flask-talisman
Sets multiple security headers automatically

6. Input Validation

Risk: Injection attacks, data corruption, XSS

Check for:

Frontend validation (UX, not security)
Backend validation (required for security)
Schema validation libraries (Zod, Joi, Pydantic, etc.)
Sanitization of user input before storage/display

7. File Upload Limits

Risk: Storage exhaustion, malicious file uploads

Check for:

Max file size limits
Allowed file type restrictions (MIME + extension)
File content validation (magic bytes)
Secure storage location (outside webroot)

8. ORM for Database Access

Risk: SQL injection

Check for:

Parameterized queries (never string concatenation)
ORM usage (Prisma, Sequelize, SQLAlchemy, Django ORM)
If raw SQL needed: prepared statements only

9. Password Hashing

Risk: Credential theft, rainbow table attacks

Check for:

Strong algorithm: bcrypt, Argon2, or scrypt
Appropriate cost factor (bcrypt rounds ≥10)
No MD5, SHA1, or plain SHA256 for passwords
No plaintext password storage or logging

Gotchas

CORS credentials: true + origin: '*' fails silently in browsers — must specify explicit origin when using credentials
helmet() defaults changed between v4 and v5 — CSP is no longer set by default in v5, must configure explicitly
CSP unsafe-inline negates most XSS protection — if you need inline scripts, use nonces or hashes instead
express.json() without limit accepts arbitrarily large payloads — always set limit: '1mb' or similar
httpOnly cookies prevent XSS token theft but NOT CSRF — still need CSRF tokens or SameSite=Strict
Rate limiting per IP fails behind reverse proxies — must set trust proxy and use X-Forwarded-For
bcrypt silently truncates passwords at 72 bytes — use Argon2 for long passphrases or pre-hash with SHA-256

// WRONG: credentials with wildcard origin (silently fails)
app.use(cors({ origin: '*', credentials: true }));
// RIGHT: explicit origin
app.use(cors({ origin: 'https://app.example.com', credentials: true }));

// WRONG: helmet v5 without CSP (no longer set by default)
app.use(helmet());
// RIGHT: explicit CSP
app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"] } } }));

Audit Report Format

## Security Audit: [App Name]

### Summary
- **Items Passing**: X/9
- **Critical Issues**: X
- **Recommendations**: X

### Findings

#### [Item Name] - [PASS/FAIL/PARTIAL]
**Severity**: Critical/High/Medium/Low
**Finding**: [Description]
**Location**: [File/endpoint]
**Remediation**: [Steps to fix]