원클릭으로
security-for-vibecoders
security-for-vibecoders에는 afu-it에서 수집한 skills 17개가 있으며, 저장소 수준 직업 범위와 사이트 내 skill 상세 페이지를 제공합니다.
이 저장소의 skills
Enterprise-grade access control patterns to prevent broken access control, IDOR, tenant data leaks, privilege escalation, and admin route exposure. Covers RBAC, ABAC, ownership checks, multi-tenant scoping, policy middleware, row-level security, and audit logging for Node.js, Cloudflare Workers, Laravel, and Python. Use when protecting routes, implementing roles, reviewing authorization, or fixing OWASP A01 findings.
Add structured audit logging with immutable R2 storage to Cloudflare Workers. Creates a typed audit utility, instruments all API routes, deploys a tail worker for persistent log storage, and configures R2 bucket lock for tamper-resistance. Use when adding logging, audit trails, or PDPA compliance to a Cloudflare Workers project.
Harden authentication systems against session fixation, brute-force attacks, and weak password storage. Covers bcrypt/argon2 hashing, JWT best practices, session management, and account lockout. Use when implementing login, fixing auth vulnerabilities, or reviewing authentication code.
Add CodeQL SAST, Gitleaks secret scanning, and dependency audit to any CI/CD pipeline. Blocks deployment if vulnerabilities or secrets are detected. Covers GitHub Actions, GitLab CI, and generic pipelines. Use when setting up CI security, adding SAST, preventing secret leaks, or hardening deployment pipelines.
Configure CORS correctly to prevent credential leaks and unauthorized cross-origin access. Covers Express, Next.js, Cloudflare Workers, Laravel, and FastAPI. Use when setting up CORS, fixing preflight errors, or auditing cross-origin policies.
Encrypt personal data at rest and in transit to comply with PDPA 2024. Covers field-level encryption for PII, AES-256-GCM patterns, key management, and database column encryption for Node.js, Python, Laravel, and Cloudflare Workers. Use when storing sensitive user data, implementing encryption, or responding to PDPA compliance requirements.
Detect typosquatting, malicious packages, and lockfile tampering in npm, pip, and composer dependencies. Covers lockfile integrity verification, known-malicious package detection, and supply chain attack prevention. Use when auditing dependencies, investigating suspicious packages, or hardening the supply chain.
Prevent information leakage through error messages. Covers sanitized error responses, structured error handling, no stack traces in production, and safe logging patterns for Express, Next.js, Cloudflare Workers, Laravel, and FastAPI. Use when fixing verbose errors, implementing error handlers, or preventing stack trace leaks.
Validate and sanitize all user input to prevent XSS, path traversal, command injection, and malformed data. Covers Zod, Joi, class-validator, Laravel validation, and Python Pydantic. Use when building forms, API endpoints, file uploads, or fixing injection vulnerabilities beyond SQL.
Full PDPA 2024 + OWASP Top 10 security audit for any codebase. Checks all 8 forensic findings from Malaysian court cases plus enterprise controls for access control, SSRF, secrets, encryption, CORS, auth hardening, and error handling. Produces a compliance scorecard and actionable fix list. Use when asked to audit security, check PDPA compliance, run OWASP assessment, or before go-live.
Add per-user and per-IP rate limiting to API endpoints. Covers Cloudflare Workers (KV-based sliding window), Express.js, Next.js, and generic patterns. Prevents abuse, brute-force attacks, and resource exhaustion. Use when adding rate limits, preventing API abuse, or fixing OWASP A04/A07 findings.
Prevent hardcoded secrets in source code. Covers .env setup, .gitignore patterns, secret scanning, runtime secret injection, and rotation strategies for Node.js, Python, Laravel, and Cloudflare Workers. Use when setting up environment variables, fixing exposed secrets, or implementing secret rotation.
Security for vibe coders. Full PDPA 2024 + OWASP Top 10 compliance for any codebase. Covers enterprise-grade access control, SSRF prevention, SQL injection, input validation, secrets management, auth hardening, security headers, CORS, data encryption, error handling, audit logging, webhook security, CI/CD gates, rate limiting, and dependency auditing. Based on real Malaysian court cases where developers were fined RM1,000,000. Use when asked to secure a project, check PDPA compliance, run OWASP audit, add security to CI, or before go-live.
Add security headers (CSP, HSTS, X-Frame-Options, Permissions-Policy) to prevent clickjacking, XSS, and data leaks. Provides copy-paste middleware for Express, Next.js, Cloudflare Workers, and Laravel. Use when hardening HTTP responses, fixing security scanner findings, or setting up a new project.
Detect and fix SQL injection vulnerabilities in any framework. Covers Laravel (DB::raw, whereRaw), Node.js (template literals in queries), Python (f-strings in SQL), and Cloudflare D1. Enforces parameterized bindings everywhere. Use when writing database queries, reviewing code for injection, or fixing SQL injection findings.
Enterprise-grade Server-Side Request Forgery (SSRF) prevention for APIs, webhooks, URL previewers, importers, and fetch-by-URL features. Covers strict allowlists, DNS rebinding defense, private IP blocking, cloud metadata protection, redirect validation, egress controls, and safe fetch wrappers for Node.js, Cloudflare Workers, Python, and Laravel. Use when code fetches user-provided URLs or calls external services.
Fix race conditions, add idempotency guards, and implement timing-safe token comparisons for payment webhooks. Covers Xendit, Stripe, Paddle, and generic webhook patterns. Prevents double-crediting, replay attacks, and timing attacks. Use when building payment webhooks, fixing race conditions, or securing callback endpoints.