Reviews security including OWASP Top 10, input validation, auth. Use when junior builds login, authentication, stores passwords, handles user input, API keys, JWT tokens, or asks "is this secure".
インストール
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
Reviews security including OWASP Top 10, input validation, auth. Use when junior builds login, authentication, stores passwords, handles user input, API keys, JWT tokens, or asks "is this secure".
Security Fundamentals Review
"Security is not a feature. It's a foundation. Build on sand, and the house falls."
When to Apply
Activate this skill when reviewing:
Authentication/login flows
Authorization checks
User input handling
Database queries
File uploads
API endpoints
Data exposure in responses
Review Checklist
Input Validation (NEVER Trust the Client)
All inputs validated: Is every user input checked before use?
Server-side validation: Is validation done on the server, not just client?
Type checking: Are expected types enforced?
Length limits: Are string lengths bounded?
Whitelist over blacklist: Are allowed values explicitly defined?
Authentication
Password hashing: Are passwords hashed (bcrypt, argon2), not encrypted?
No plaintext secrets: Are secrets in env vars, not code?
Token expiry: Do JWTs/sessions have reasonable expiration?
Secure transmission: Is HTTPS enforced?
Authorization
Ownership checks: Can users only access THEIR data?
Role verification: Are admin routes protected by role checks?
No client-side auth: Is authorization enforced server-side?
Data Exposure
Minimal response: Does the API return only necessary fields?
No sensitive data in URLs: Are tokens/IDs not in query strings?
No sensitive data in logs: Are passwords/tokens excluded from logs?
OWASP Top 10 Quick Check
1. Injection (SQL, NoSQL, Command)
❌ db.query(`SELECT * FROM users WHERE id = ${userId}`);
✅ db.query('SELECT * FROM users WHERE id = ?', [userId]);
2. Broken Authentication
❌ if (req.headers.admin === 'true') { /* allow admin */ }
✅ const user = await verifyToken(req.headers.authorization);
if (user.role !== 'admin') throw new ForbiddenError();
❌ CORS: origin: '*'
❌ Detailed error messages in production
❌ Debug mode enabled in production
✅ CORS: origin: process.env.ALLOWED_ORIGINS
✅ Generic error messages to clients
✅ Debug mode disabled in production