Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

security-and-hardening

Harden web application code against vulnerabilities during development. Use while writing any feature that accepts untrusted data, handles authentication or sessions, stores or transmits sensitive information, integrates with third-party APIs, accepts file uploads, or exposes webhooks and callbacks. Covers OWASP Top 10 prevention patterns, input validation at system boundaries, parameterized queries, output encoding, secrets management, rate limiting, session hardening, and the three-tier "always / ask first / never" boundary system. Do not use for post-implementation security audits, threat modeling of finished systems, or vulnerability reports — use the `barb` / `security-auditor` agent for that. This skill is for building secure code; Barb is for auditing built code.

Ejecutar en Manus

Estrellas1

Forks0

Actualizado24 de abril de 2026, 00:08

Fuente

jasonjgarcia24

jasonjgarcia24/claude-dev-team

Abrir repositorio de GitHub Ver repositorios del creador

Comando de instalación

Descarga

Ejecutar en Manus

Útil paraSOC

Analistas de seguridad de la informaciónOcupaciones informáticas y matemáticas15-1212L4

Explorador de archivos

4 archivos

SKILL.md

readonly

name

security-and-hardening

description

Security and Hardening

Treat every external input as hostile, every secret as sacred, and every authorization check as mandatory. Security is a constraint on every line of code that touches user data, authentication, or external systems — not a phase.

Split with Barb (security-auditor)

This skill owns hardening during development — the patterns, guardrails, and checklists applied while writing code. The barb agent (~/.claude/agents/security-auditor.md) owns auditing after implementation — reviewing built code, classifying severity, producing an audit report. Reach for this skill when building; reach for Barb when reviewing finished code for exploitable issues.

The Three-Tier Boundary System

Always Do (No Exceptions)

Validate all external input at the system boundary (API routes, form handlers).
Parameterize all database queries — never concatenate user input into SQL.
Encode output to prevent XSS (use framework auto-escaping; do not bypass it).
Use HTTPS for all external communication.
Hash passwords with bcrypt, scrypt, or argon2 (never store plaintext).
Set security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).
Use httpOnly, secure, sameSite cookies for sessions.
Run npm audit (or equivalent) before every release.

Ask First (Requires Human Approval)

Adding new authentication flows or changing auth logic.
Storing new categories of sensitive data (PII, payment info).
Adding new external service integrations.
Changing CORS configuration.
Adding file upload handlers.
Modifying rate limiting or throttling.
Granting elevated permissions or roles.

Never Do

Never commit secrets to version control (API keys, passwords, tokens).
Never log sensitive data (passwords, tokens, full credit card numbers).
Never trust client-side validation as a security boundary.
Never disable security headers for convenience.
Never use eval() or innerHTML with user-provided data.
Never store sessions in client-accessible storage (no auth tokens in localStorage).
Never expose stack traces or internal error details to users.

OWASP Top 10 Prevention

For per-category BAD/GOOD code patterns (injection, broken auth, XSS, access control, misconfiguration, sensitive data exposure) plus schema validation and file upload safety, see references/owasp-patterns.md.

Operational Security

For rate limiting, secrets management (.env hygiene, pre-commit secret scan), and a decision tree for triaging npm audit findings, see references/operational-security.md.

Pre-Ship Security Checklist

For the full auth / authorization / input / data / infrastructure checklist to run before shipping any security-relevant change, see references/security-checklist.md.

Common Rationalizations

Rationalization	Reality
"This is an internal tool, security doesn't matter"	Internal tools get compromised. Attackers target the weakest link.
"We'll add security later"	Security retrofitting is 10x harder than building it in. Add it now.
"No one would try to exploit this"	Automated scanners will find it. Security by obscurity is not security.
"The framework handles security"	Frameworks provide tools, not guarantees. You still need to use them correctly.
"It's just a prototype"	Prototypes become production. Security habits from day one.

Red Flags

User input passed directly to database queries, shell commands, or HTML rendering
Secrets in source code or commit history
API endpoints without authentication or authorization checks
Missing CORS configuration or wildcard (*) origins
No rate limiting on authentication endpoints
Stack traces or internal errors exposed to users
Dependencies with known critical vulnerabilities

Verification

After implementing security-relevant code:

npm audit shows no critical or high vulnerabilities
No secrets in source code or git history
All user input validated at system boundaries
Authentication and authorization checked on every protected endpoint
Security headers present in response (check with browser DevTools)
Error responses don't expose internal details
Rate limiting active on auth endpoints

For a post-implementation audit with severity classification and an exploit-focused report, hand off to the barb agent (~/.claude/agents/security-auditor.md).

Más de este repositorio

mismo repositorio

test-driven-development

jasonjgarcia24/claude-dev-team

Drives development with tests. Write a failing test before writing code that makes it pass; for bugs, reproduce with a test before attempting a fix (the Prove-It Pattern). Use when implementing any new logic or behavior, fixing any bug, modifying existing functionality, adding edge case handling, or making any change that could break existing behavior. Do NOT use for pure configuration changes, documentation updates, or static content changes with no behavioral impact. Covers the RED/GREEN/REFACTOR cycle, the test pyramid and test-size model, writing-good-tests patterns (state over interactions, DAMP over DRY, real over mocks, Arrange-Act-Assert), and common anti-patterns. For browser runtime verification, combine with the `browser-testing-with-devtools` skill.

2026-04-241

browser-testing-with-devtools

jasonjgarcia24/claude-dev-team

Verifies browser-rendered changes against live runtime via Chrome DevTools MCP. Use when building or debugging anything that renders in a browser, inspecting the DOM, capturing console errors, analyzing network requests, profiling Core Web Vitals, or verifying visual output with real runtime data. Do NOT use for backend-only changes, CLI tools, non-UI code, or when Pepper + test-driven-development already covers the scenario with automated tests.

2026-04-241

acceptance-exploration

jasonjgarcia24/claude-dev-team

Verify a finished feature works end-to-end before declaring done. Use after implementation and unit tests pass, when you need a pass/fail verdict on whether the feature actually works from a user's or caller's perspective — not just that tests are green. Works across browser apps, CLI tools, HTTP APIs, and agent/skill bundles at stage-appropriate depth (prototype / MVP / beta / GA). Produces a verdict with evidence (screenshots, transcripts, request logs). Do not use for writing tests (use test-driven-development), code review (use code-review-and-quality), or security audits (use security-and-hardening).

2026-04-241

code-review-and-quality

jasonjgarcia24/claude-dev-team

Multi-axis code review before merge across correctness, readability, architecture, security, and performance. Use before merging any PR, after completing a feature, when evaluating code produced by another agent or model, during refactors, or after a bug fix (review both the fix and the regression test). Produces categorized findings (Critical / Important / Suggestion / Nit) and an APPROVE or REQUEST CHANGES verdict. Do not use for deep security audits (use security-and-hardening + Barb), for verifying a running feature end-to-end (use acceptance-exploration + Negev), for writing tests (use test-driven-development), or for committing curated changes (use git-workflow-and-versioning + Hubert).

2026-04-241

git-workflow-and-versioning

jasonjgarcia24/claude-dev-team

Structure git workflow practices — atomic commits, trunk-based branching, descriptive messages, and change summaries. Use when making any code change that gets committed, when splitting a messy working tree, when naming a branch, when writing a commit message, or when cleaning up history. Invoked most often by the `hubert` agent, which layers persona-specific execution (secrets scanning, 70-char subject cap, result-line contract). Do not use for force-pushing, rebasing published history, or PR creation — those are out of scope.

2026-04-241

name

security-and-hardening

description

Security and Hardening

Split with Barb (security-auditor)

The Three-Tier Boundary System

Always Do (No Exceptions)

Validate all external input at the system boundary (API routes, form handlers).
Parameterize all database queries — never concatenate user input into SQL.
Encode output to prevent XSS (use framework auto-escaping; do not bypass it).
Use HTTPS for all external communication.
Hash passwords with bcrypt, scrypt, or argon2 (never store plaintext).
Set security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).
Use httpOnly, secure, sameSite cookies for sessions.
Run npm audit (or equivalent) before every release.

Ask First (Requires Human Approval)

Adding new authentication flows or changing auth logic.
Storing new categories of sensitive data (PII, payment info).
Adding new external service integrations.
Changing CORS configuration.
Adding file upload handlers.
Modifying rate limiting or throttling.
Granting elevated permissions or roles.

Never Do

Never commit secrets to version control (API keys, passwords, tokens).
Never log sensitive data (passwords, tokens, full credit card numbers).
Never trust client-side validation as a security boundary.
Never disable security headers for convenience.
Never use eval() or innerHTML with user-provided data.
Never store sessions in client-accessible storage (no auth tokens in localStorage).
Never expose stack traces or internal error details to users.

OWASP Top 10 Prevention

Operational Security

For rate limiting, secrets management (.env hygiene, pre-commit secret scan), and a decision tree for triaging npm audit findings, see references/operational-security.md.

Pre-Ship Security Checklist

For the full auth / authorization / input / data / infrastructure checklist to run before shipping any security-relevant change, see references/security-checklist.md.

Common Rationalizations

Rationalization	Reality
"This is an internal tool, security doesn't matter"	Internal tools get compromised. Attackers target the weakest link.
"We'll add security later"	Security retrofitting is 10x harder than building it in. Add it now.
"No one would try to exploit this"	Automated scanners will find it. Security by obscurity is not security.
"The framework handles security"	Frameworks provide tools, not guarantees. You still need to use them correctly.
"It's just a prototype"	Prototypes become production. Security habits from day one.

Red Flags

User input passed directly to database queries, shell commands, or HTML rendering
Secrets in source code or commit history
API endpoints without authentication or authorization checks
Missing CORS configuration or wildcard (*) origins
No rate limiting on authentication endpoints
Stack traces or internal errors exposed to users
Dependencies with known critical vulnerabilities

Verification

After implementing security-relevant code:

npm audit shows no critical or high vulnerabilities
No secrets in source code or git history
All user input validated at system boundaries
Authentication and authorization checked on every protected endpoint
Security headers present in response (check with browser DevTools)
Error responses don't expose internal details
Rate limiting active on auth endpoints

For a post-implementation audit with severity classification and an exploit-focused report, hand off to the barb agent (~/.claude/agents/security-auditor.md).