ワンクリックで
security-hardening
Application security covering input validation, auth, headers, secrets management, and dependency auditing
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Application security covering input validation, auth, headers, secrets management, and dependency auditing
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Use the codebase knowledge graph for structural code queries. Triggers on: explore the codebase, understand the architecture, what functions exist, show me the structure, who calls this function, what does X call, trace the call chain, find callers of, show dependencies, impact analysis, dead code, unused functions, high fan-out, refactor candidates, code quality audit, graph query syntax, Cypher query examples, edge types, how to use search_graph.
UI/UX design intelligence for web and mobile. Includes 50+ styles, 161 color palettes, 57 font pairings, 161 product types, 99 UX guidelines, and 25 chart types across 10 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind, shadcn/ui, and HTML/CSS). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, and check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, and mobile app. Elements: button, modal, navbar, sidebar, card, table, form, and chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, and flat design. Topics: color systems, accessibility, animation, layout, typography, font pairing, spacing, interaction states, shadow, and gradient. Integrations: shadcn/ui MCP for component search and examples.
any input (code, docs, papers, images) → knowledge graph → clustered communities → HTML + JSON + audit report
Provides comprehensive code review guidance for React 19, Vue 3, Rust, TypeScript, Java, Python, and C/C++. Helps catch bugs, improve code quality, and give constructive feedback. Use when: reviewing pull requests, conducting PR reviews, code review, reviewing code changes, establishing review standards, mentoring developers, architecture reviews, security audits, checking code quality, finding bugs, giving feedback on code.
CI/CD pipeline design with GitHub Actions, Docker, Kubernetes, Helm, and GitOps patterns
AWS cloud patterns for Lambda, ECS, S3, DynamoDB, and Infrastructure as Code with CDK/Terraform
| name | security-hardening |
| description | Application security covering input validation, auth, headers, secrets management, and dependency auditing |
Validate all input at the boundary. Never trust client-side validation alone.
import { z } from 'zod';
const CreateUserSchema = z.object({
email: z.string().email().max(255),
name: z.string().min(1).max(100).regex(/^[a-zA-Z\s'-]+$/),
age: z.number().int().min(13).max(150),
});
function createUser(req: Request) {
const result = CreateUserSchema.safeParse(req.body);
if (!result.success) {
return { status: 400, errors: result.error.flatten().fieldErrors };
}
// result.data is typed and validated
}
Rules:
// Prevent XSS: encode output based on context
// HTML context: use framework auto-escaping (React does this by default)
// Never use dangerouslySetInnerHTML with user input
// URL context: encode parameters
const safeUrl = `/search?q=${encodeURIComponent(userInput)}`;
// JSON context: use JSON.stringify (handles escaping)
const safeJson = JSON.stringify({ query: userInput });
Never construct HTML strings with user input. Use templating engines with auto-escaping enabled.
# NEVER do this
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# Always use parameterized queries
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
// NEVER do this
db.query(`SELECT * FROM users WHERE email = '${email}'`);
// Always use parameterized queries
db.query("SELECT * FROM users WHERE email = $1", [email]);
Use an ORM or query builder. If writing raw SQL, always parameterize.
// Server: generate and validate CSRF tokens
import { randomBytes } from 'crypto';
function generateCsrfToken(): string {
return randomBytes(32).toString('hex');
}
// Middleware: validate on state-changing requests
function csrfMiddleware(req, res, next) {
if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)) {
const token = req.headers['x-csrf-token'] || req.body._csrf;
if (!timingSafeEqual(token, req.session.csrfToken)) {
return res.status(403).json({ error: 'Invalid CSRF token' });
}
}
next();
}
For APIs with token-based auth (Bearer tokens), CSRF is not needed since the token is not auto-sent by browsers.
Content-Security-Policy:
default-src 'self';
script-src 'self' 'nonce-{random}';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self';
connect-src 'self' https://api.example.com;
frame-ancestors 'none';
base-uri 'self';
form-action 'self';
Start strict, relax as needed. Use nonce for inline scripts instead of unsafe-inline. Report violations with report-uri directive. Test with Content-Security-Policy-Report-Only first.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Set these on every response. Use helmet (Node.js) or equivalent middleware.
// Per-user, per-endpoint rate limiting
const rateLimits = {
'POST /auth/login': { window: '15m', max: 5 },
'POST /auth/register': { window: '1h', max: 3 },
'POST /api/*': { window: '1m', max: 60 },
'GET /api/*': { window: '1m', max: 120 },
};
Use sliding window algorithm. Store counters in Redis. Return 429 with Retry-After header. Apply stricter limits to authentication endpoints.
iss, aud, exp, and nbf claims on every request// Verify JWT with all checks
const payload = jwt.verify(token, publicKey, {
algorithms: ['RS256'],
issuer: 'auth.example.com',
audience: 'api.example.com',
clockTolerance: 30,
});
.gitignore for .env)trufflehog, gitleaks, git-secrets# Check for secrets in git history
gitleaks detect --source . --verbose
# Pre-commit hook to prevent secret commits
gitleaks protect --staged
# Node.js
npm audit --production
npx better-npm-audit audit --level=high
# Python
pip-audit
safety check
# Go
govulncheck ./...
Run dependency audits in CI on every PR. Block merges on critical/high vulnerabilities. Pin dependency versions. Update dependencies weekly with automated PRs (Dependabot, Renovate).