Validate and constrain untrusted input at the boundary. Use on any handler that accepts external data.
Installation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Validate and constrain untrusted input at the boundary. Use on any handler that accepts external data.
when_to_use
request bodies, query params, file uploads, webhook payloads, form data
targets
["*"]
Input Validation
Validate at the edge, before the data touches logic or storage.
Schema - type, required fields, allowed values. Reject unknown fields rather than ignoring them.
Bounds - string length, number ranges, array size. An unbounded input is a DoS and a memory bomb.
Format - emails, UUIDs, dates parsed and re-validated, not trusted as strings.
Files - size limit, type allowlist (check content, not just extension), no path traversal in names.
Reject with a clear 4xx and a message that says what's wrong - without leaking internals.
Never trust "it comes from our own frontend". The request can come from anywhere.