Reviews security including OWASP Top 10, input validation, auth. Use when junior builds login, authentication, stores passwords, handles user input, API keys, JWT tokens, or asks "is this secure".
설치
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Reviews security including OWASP Top 10, input validation, auth. Use when junior builds login, authentication, stores passwords, handles user input, API keys, JWT tokens, or asks "is this secure".
Security Fundamentals Review
"Security is not a feature. It's a foundation. Build on sand, and the house falls."
When to Apply
Activate this skill when reviewing:
Authentication/login flows
Authorization checks
User input handling
Database queries
File uploads
API endpoints
Data exposure in responses
Review Checklist
Input Validation (NEVER Trust the Client)
All inputs validated: Is every user input checked before use?
Server-side validation: Is validation done on the server, not just client?
Type checking: Are expected types enforced?
Length limits: Are string lengths bounded?
Whitelist over blacklist: Are allowed values explicitly defined?
Authentication
Password hashing: Are passwords hashed (bcrypt, argon2), not encrypted?
No plaintext secrets: Are secrets in env vars, not code?
Token expiry: Do JWTs/sessions have reasonable expiration?
Secure transmission: Is HTTPS enforced?
Authorization
Ownership checks: Can users only access THEIR data?
Role verification: Are admin routes protected by role checks?
No client-side auth: Is authorization enforced server-side?
Data Exposure
Minimal response: Does the API return only necessary fields?
No sensitive data in URLs: Are tokens/IDs not in query strings?
No sensitive data in logs: Are passwords/tokens excluded from logs?
OWASP Top 10 Quick Check
1. Injection (SQL, NoSQL, Command)
❌ db.query(`SELECT * FROM users WHERE id = ${userId}`);
✅ db.query('SELECT * FROM users WHERE id = ?', [userId]);
2. Broken Authentication
❌ if (req.headers.admin === 'true') { /* allow admin */ }
✅ const user = await verifyToken(req.headers.authorization);
if (user.role !== 'admin') throw new ForbiddenError();
❌ CORS: origin: '*'
❌ Detailed error messages in production
❌ Debug mode enabled in production
✅ CORS: origin: process.env.ALLOWED_ORIGINS
✅ Generic error messages to clients
✅ Debug mode disabled in production