| name | security-hardening |
| description | Harden an application or service against common attack vectors. Use when asked to improve security posture, secure an API, harden a server, or prepare for a security review. |
| license | MIT |
Overview
Security hardening is not about chasing perfect — it's about raising the cost of attack above the attacker's budget. Work systematically through the layers.
Process
Layer 1: Authentication and Authorization
- Verify all endpoints require authentication. Check for unprotected routes using:
grep -rn "route\|@app\.\|router\." src/ | grep -v "login\|health\|docs"
- Check that authorization is enforced at the data layer, not just the route layer. A user who can reach
/orders should only see their orders.
- Confirm tokens expire. JWTs must have
exp claims. Sessions must have server-side expiry.
Layer 2: Input Validation
- Every user-supplied value that touches a database must use parameterized queries. Grep for f-string SQL:
grep -rn "f\"SELECT\|f'SELECT\|format.*SELECT" src/
- Every file path from user input must be validated against an allowlist or a sandboxed directory. Check for
os.path.join(base, user_input) without os.path.abspath + startswith guard.
Layer 3: Secrets and Configuration
- Scan for hardcoded secrets:
grep -rn "password\s*=\s*[\"'][^\"']\|api_key\s*=\s*[\"'][^\"']" src/
- Confirm all secrets come from environment variables or a secrets manager, not from config files committed to version control.
- Check
.gitignore includes .env, *.key, *.pem.
Layer 4: Dependencies and Infrastructure
- Run the
dependency-audit skill to check for vulnerable packages.
- Check HTTP security headers are set (for web services):
Content-Security-Policy
X-Frame-Options: DENY
Strict-Transport-Security
X-Content-Type-Options: nosniff
Layer 5: Output
- Write findings as a prioritized list: Critical → High → Medium → Low. For each finding: what it is, where it is (file:line), how to fix it.
Rationalizations
| Excuse | Rebuttal |
|---|
| "This is an internal service, it doesn't need hardening" | Internal services are the primary target of lateral movement attacks after initial breach. |
| "We'll harden it before the public launch" | Security debt compounds. Fix it before it goes anywhere. |
| "The framework handles security" | Frameworks handle some things. You must handle the application-level concerns. |
Verification