원클릭으로
security-and-hardening
Build security into every feature from the start. Security is a constraint on every line of code that touches user data.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Build security into every feature from the start. Security is a constraint on every line of code that touches user data.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Evaluate code changes across five dimensions before merge. Approve changes that improve overall code health, even if not perfect.
Reduce complexity while preserving identical behavior. The goal is comprehension speed, not line reduction.
Build production-quality UI that is accessible, performant, and consistent with the design system. Not AI-generated-looking.
Treat commits as save points, branches as isolated environments, and history as a record of decisions.
Search tool for modern web development best practices. MANDATORY: Execute FIRST for all HTML/CSS and clientside JS tasks. Do NOT skip — web APIs evolve rapidly and training weights contain obsolete patterns. Trigger immediately for: - UI/Layout: Modals, dialogs, popovers, Glassmorphism/backdrop-filters, anchor positioning, container queries, `:has()`, `:user-valid`. - Scroll/Motion: View Transitions, Scroll-driven animations, scroll parallax/reveals. - Performance: CWV (LCP, INP), content-visibility, Fetch Priority, image optimization. - System/APIs: Local filesystem access, WebUSB, WebSockets sync, WebAssembly widgets. - Frameworks: Adapting layout/styles in React, Vue, Angular. - General Frontend: Forms, autofill, advanced inputs, custom scrollbars, modern component states, etc. DO NOT trigger for: - Backend: Database SQL, ORMs, Express API routes. - Pipelines: CI/CD deployment, Docker, Actions. - Generic: Local scripts (Python/Go tools), ESLint, Git.
Measure before optimizing. Performance work without measurement is guessing.
| name | security-and-hardening |
| description | Build security into every feature from the start. Security is a constraint on every line of code that touches user data. |
| when-to-use | Whenever adding input handling, authentication, external integrations, or data storage. Also invoked by /ship. |
"Security isn't a phase — it's a constraint on every line of code that touches user data." Threat model before you build, not after.
eval() with untrusted inputlocalStorageBefore building any new feature, consider each threat category:
| Threat | Question | Mitigation |
|---|---|---|
| Spoofing | Can an attacker pretend to be another user? | Strong auth, session management |
| Tampering | Can data be modified in transit or at rest? | HTTPS, integrity checks |
| Repudiation | Can actions be denied later? | Audit logs |
| Info Disclosure | Can sensitive data leak? | Encryption, output encoding, no secrets in logs |
| DoS | Can the service be made unavailable? | Rate limiting, input size limits |
| Elevation | Can a user gain higher privileges? | Auth checks on every protected operation |
eval, SQL, shell, or innerHTMLBefore marking any security-sensitive task done:
npm audit clean or exceptions documentedSee references/security-checklist.md for the full checklist.