원클릭으로
secure-coding
Use when writing security-sensitive code, handling authentication, processing user input, or managing secrets
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Use when writing security-sensitive code, handling authentication, processing user input, or managing secrets
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Execute safe Git workflows — branching, committing, resolving conflicts, and managing PRs
Use when controlling AI spend, token budgets, model routing, or workflow efficiency before scaling usage
Use when handling incidents, outages, severe regressions, or operational emergencies before attempting broad fixes
Use when investigating latency, throughput, resource saturation, or performance regressions before changing implementation details
Use when reviewing code, preparing a PR for review, or processing review feedback
Use when diagnosing bugs, test failures, or unexpected behavior before attempting any fix
| name | secure-coding |
| description | Use when writing security-sensitive code, handling authentication, processing user input, or managing secrets |
Announce at start: "Following the secure-coding skill for security-sensitive work."
Before submitting security-sensitive code, verify against these categories:
All user input is untrusted. Validate everything.
| Rule | Example |
|---|---|
| Allowlist over denylist | Accept known-good patterns, reject everything else |
| Validate type, length, range | age: int, 0-150 not just age: any |
| Sanitize before use | Escape HTML before rendering, parameterize SQL |
| Validate on the server | Client-side validation is for UX, not security |
| Do | Don't |
|---|---|
| Use environment variables or secret managers | Hardcode secrets in source |
| Rotate secrets regularly | Share secrets in chat/email |
| Use different secrets per environment | Reuse production secrets in dev |
Add secret files to .gitignore | Commit .env files |
Request a security-focused review when changes touch:
| Area | Why |
|---|---|
| Authentication/authorization | Identity and access control |
| Payment processing | Financial data |
| File uploads | Path traversal, malware |
| API endpoints | Injection, rate limiting |
| Cryptography | Algorithm choice, key management |
| External service integration | Trust boundary crossing |
Always escalate to a human for:
| When | Invoke |
|---|---|
| Security code needs review | code-review |
| Need to test security controls | testing |
| Ready to submit security changes | pr-writing |
For principles, rationale, anti-patterns, and examples:
guides/secure-coding/secure-coding.mdguides/security-boundaries/security-boundaries.md