메뉴
Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Operates Breeze x402 payment-gated endpoints for balance checks, deposits, and withdrawals on Solana. Use when the user asks to manage Breeze positions or execute paid x402 API calls.
Crossmint provides custodial wallet-as-a-service, NFT minting, virtual debit cards, crypto-to-fiat payouts, and **transaction signing** on Solana. Perfect for AI agents managing DeFi operations without needing a local keypair.
Complete DFlow trading protocol SDK - the single source of truth for integrating DFlow on Solana. Covers spot trading, prediction markets, Swap API, Metadata API, WebSocket streaming, and all DFlow tools.
Complete Drift Protocol SDK for building perpetual futures, spot trading, and DeFi applications on Solana. Use when building trading bots, integrating Drift markets, managing positions, or working with vaults.
Solana vault management via GLAM Protocol. Triggers: glam, glam-cli, glam-sdk, vault create/manage, tokenized vault, share class, DeFi vault, treasury, asset management, access control, delegate permissions, Jupiter swap, Drift perpetuals/spot/vaults, Kamino lending/borrow/vaults/farms, staking (Marinade/native/SPL/Sanctum/LST), cross-chain USDC (CCTP), timelock, subscription/redemption, NAV pricing, token transfer. Supports CLI and TypeScript SDK.
Comprehensive guide for Helius - Solana's leading RPC and API infrastructure provider. Covers RPC nodes, DAS (Digital Asset Standard) API, Enhanced Transactions, Priority Fees, Webhooks, ZK Compression, LaserStream gRPC, and the Helius SDK for building high-performance Solana applications
| name | secure-code-guardian |
| description | Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention. |
| triggers | ["security","authentication","authorization","encryption","OWASP","vulnerability","secure coding","password","JWT","OAuth"] |
| role | specialist |
| scope | implementation |
| output-format | code |
Security-focused developer specializing in writing secure code and preventing vulnerabilities.
You are a senior security engineer with 10+ years of application security experience. You specialize in secure coding practices, OWASP Top 10 prevention, and implementing authentication/authorization. You think defensively and assume all input is malicious.
Load detailed guidance based on context:
| Topic | Reference | Load When |
|---|---|---|
| OWASP | references/owasp-prevention.md | OWASP Top 10 patterns |
| Authentication | references/authentication.md | Password hashing, JWT |
| Input Validation | references/input-validation.md | Zod, SQL injection |
| XSS/CSRF | references/xss-csrf.md | XSS prevention, CSRF |
| Headers | references/security-headers.md | Helmet, rate limiting |
When implementing security features, provide:
OWASP Top 10, bcrypt/argon2, JWT, OAuth 2.0, OIDC, CSP, CORS, rate limiting, input validation, output encoding, encryption (AES, RSA), TLS, security headers
import bcrypt from 'bcrypt';
const SALT_ROUNDS = 12;
async function hashPassword(password: string): Promise<string> {
return bcrypt.hash(password, SALT_ROUNDS);
}
async function verifyPassword(password: string, hash: string): Promise<boolean> {
return bcrypt.compare(password, hash);
}
// Password requirements
const PASSWORD_REGEX = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{12,}$/;
function validatePassword(password: string): { valid: boolean; errors: string[] } {
const errors: string[] = [];
if (password.length < 12) errors.push('Minimum 12 characters');
if (!/[a-z]/.test(password)) errors.push('Requires lowercase');
if (!/[A-Z]/.test(password)) errors.push('Requires uppercase');
if (!/\d/.test(password)) errors.push('Requires digit');
if (!/[@$!%*?&]/.test(password)) errors.push('Requires special character');
return { valid: errors.length === 0, errors };
}
import jwt from 'jsonwebtoken';
const JWT_SECRET = process.env.JWT_SECRET!;
const ACCESS_TOKEN_EXPIRY = '15m';
const REFRESH_TOKEN_EXPIRY = '7d';
interface TokenPayload {
sub: string;
type: 'access' | 'refresh';
}
function generateAccessToken(userId: string): string {
return jwt.sign(
{ sub: userId, type: 'access' },
JWT_SECRET,
{ expiresIn: ACCESS_TOKEN_EXPIRY }
);
}
function generateRefreshToken(userId: string): string {
return jwt.sign(
{ sub: userId, type: 'refresh' },
JWT_SECRET,
{ expiresIn: REFRESH_TOKEN_EXPIRY }
);
}
function verifyToken(token: string): TokenPayload {
return jwt.verify(token, JWT_SECRET) as TokenPayload;
}
function authMiddleware(req: Request, res: Response, next: NextFunction) {
const header = req.headers.authorization;
if (!header?.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Missing token' });
}
try {
const token = header.slice(7);
const payload = verifyToken(token);
if (payload.type !== 'access') {
return res.status(401).json({ error: 'Invalid token type' });
}
req.userId = payload.sub;
next();
} catch (error) {
if (error instanceof jwt.TokenExpiredError) {
return res.status(401).json({ error: 'Token expired' });
}
return res.status(401).json({ error: 'Invalid token' });
}
}
const MAX_ATTEMPTS = 5;
const LOCKOUT_DURATION = 15 * 60 * 1000; // 15 minutes
async function handleLoginAttempt(email: string, success: boolean) {
const key = `login:attempts:${email}`;
if (success) {
await redis.del(key);
return;
}
const attempts = await redis.incr(key);
await redis.expire(key, LOCKOUT_DURATION / 1000);
if (attempts >= MAX_ATTEMPTS) {
await redis.set(`login:locked:${email}`, '1', 'PX', LOCKOUT_DURATION);
throw new Error('Account locked. Try again later.');
}
}
| Practice | Implementation |
|---|---|
| Password hash | bcrypt (12+ rounds) |
| Token expiry | Access: 15m, Refresh: 7d |
| Lockout | 5 attempts, 15min lockout |
| MFA | TOTP (authenticator apps) |
| JWT Claim | Purpose |
|---|---|
sub | User ID |
exp | Expiration |
iat | Issued at |
type | access/refresh |
import { z } from 'zod';
const UserSchema = z.object({
email: z.string().email().max(255),
name: z.string().min(1).max(100).regex(/^[\w\s-]+$/),
age: z.number().int().min(0).max(150).optional(),
role: z.enum(['user', 'admin']).default('user'),
});
function validateUser(data: unknown) {
return UserSchema.parse(data); // Throws on invalid
}
// Safe parse (no throw)
const result = UserSchema.safeParse(data);
if (!result.success) {
console.error(result.error.issues);
}
// ❌ NEVER do this
const bad = `SELECT * FROM users WHERE id = ${userId}`;
const bad2 = `SELECT * FROM users WHERE name = '${name}'`;
// ✅ Parameterized queries
const good = await db.query(
'SELECT * FROM users WHERE id = $1 AND name = $2',
[userId, name]
);
// ✅ Use ORM
const user = await prisma.user.findFirst({
where: { id: userId, name: name }
});
// ✅ Query builder
const user = await knex('users')
.where({ id: userId, name: name })
.first();
import path from 'path';
// ❌ Vulnerable
const vulnerable = path.join('/uploads', userInput);
// ✅ Safe - validate and sanitize
function getSecurePath(baseDir: string, userInput: string): string {
// Remove any path traversal attempts
const sanitized = path.basename(userInput);
// Resolve and verify it's within base directory
const fullPath = path.resolve(baseDir, sanitized);
if (!fullPath.startsWith(path.resolve(baseDir))) {
throw new Error('Invalid path');
}
return fullPath;
}
import { execFile } from 'child_process';
// ❌ Never use exec with user input
exec(`convert ${userInput}`); // Vulnerable!
// ✅ Use execFile with arguments array
execFile('convert', ['-resize', '100x100', safeFilename], (error, stdout) => {
// ...
});
// ✅ Better: Use library functions instead of shell
import sharp from 'sharp';
await sharp(inputPath).resize(100, 100).toFile(outputPath);
function validateUrl(input: string, allowedHosts: string[]): URL {
const url = new URL(input);
// Check protocol
if (!['http:', 'https:'].includes(url.protocol)) {
throw new Error('Invalid protocol');
}
// Check host allowlist
if (!allowedHosts.includes(url.hostname)) {
throw new Error('Host not allowed');
}
return url;
}
const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/gif'];
const MAX_SIZE = 5 * 1024 * 1024; // 5MB
function validateUpload(file: Express.Multer.File) {
if (!ALLOWED_TYPES.includes(file.mimetype)) {
throw new Error('Invalid file type');
}
if (file.size > MAX_SIZE) {
throw new Error('File too large');
}
// Verify magic bytes (not just extension)
const buffer = fs.readFileSync(file.path);
const type = fileType.fromBuffer(buffer);
if (!type || !ALLOWED_TYPES.includes(type.mime)) {
throw new Error('Invalid file content');
}
}
| Input Type | Validation |
|---|---|
| Regex + max length | |
| URL | Protocol + host allowlist |
| File path | basename + resolve check |
| SQL | Parameterized queries |
| Command | execFile + no shell |
| File upload | Type + size + magic bytes |
| # | Vulnerability | Prevention |
|---|---|---|
| 1 | Injection | Parameterized queries, ORMs |
| 2 | Broken Auth | Strong passwords, MFA, secure sessions |
| 3 | Sensitive Data | Encryption at rest/transit |
| 4 | XXE | Disable DTDs, use JSON |
| 5 | Broken Access | Deny by default, server-side validation |
| 6 | Misconfig | Security headers, disable defaults |
| 7 | XSS | Output encoding, CSP |
| 8 | Insecure Deserialization | Schema validation, allowlists |
| 9 | Known Vulnerabilities | Dependency scanning |
| 10 | Insufficient Logging | Log security events |
// SQL Injection - Use parameterized queries
// ❌ Bad
const bad = `SELECT * FROM users WHERE id = ${userId}`;
// ✅ Good
const good = await db.query('SELECT * FROM users WHERE id = $1', [userId]);
// ✅ Good - Use ORM
const user = await prisma.user.findUnique({ where: { id: userId } });
// Command Injection - Avoid shell execution
// ❌ Bad
exec(`ls ${userInput}`);
// ✅ Good - Use library functions
const files = fs.readdirSync(safeDirectory);
// Use bcrypt for passwords
const hash = await bcrypt.hash(password, 12);
const isValid = await bcrypt.compare(password, hash);
// Implement account lockout
if (failedAttempts >= 5) {
await lockAccount(userId, 15 * 60 * 1000); // 15 min
}
// Use secure session configuration
app.use(session({
secret: process.env.SESSION_SECRET,
cookie: {
httpOnly: true,
secure: true,
sameSite: 'strict',
maxAge: 15 * 60 * 1000, // 15 minutes
},
}));
// Encrypt sensitive data at rest
import crypto from 'crypto';
function encrypt(text: string, key: Buffer): string {
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
// ... encryption logic
}
// Use HTTPS only
app.use((req, res, next) => {
if (!req.secure) {
return res.redirect(`https://${req.hostname}${req.url}`);
}
next();
});
// Always validate on server side
async function getResource(userId: string, resourceId: string) {
const resource = await db.resource.findUnique({ where: { id: resourceId } });
// Verify ownership
if (resource.ownerId !== userId) {
throw new ForbiddenError('Access denied');
}
return resource;
}
// Use role-based access
function requireRole(...roles: string[]) {
return (req: Request, res: Response, next: NextFunction) => {
if (!roles.includes(req.user.role)) {
return res.status(403).json({ error: 'Forbidden' });
}
next();
};
}
// Use Content Security Policy
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
},
}));
// Sanitize user input for HTML
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userInput);
| Attack | Defense |
|---|---|
| SQL Injection | Parameterized queries |
| XSS | Output encoding, CSP |
| CSRF | CSRF tokens |
| IDOR | Authorization checks |
| Command Injection | Avoid exec(), validate input |
import helmet from 'helmet';
app.use(helmet()); // Enable all defaults
// Or configure individually
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
},
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true,
},
}));
app.use((req, res, next) => {
// Prevent clickjacking
res.setHeader('X-Frame-Options', 'DENY');
// Prevent MIME sniffing
res.setHeader('X-Content-Type-Options', 'nosniff');
// HSTS (HTTPS only)
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
// Referrer policy
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
// Permissions policy
res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
next();
});
import rateLimit from 'express-rate-limit';
// General API rate limit
const apiLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100,
message: { error: 'Too many requests' },
standardHeaders: true,
legacyHeaders: false,
});
app.use('/api/', apiLimiter);
// Strict limit for auth endpoints
const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 5,
message: { error: 'Too many login attempts' },
skipSuccessfulRequests: true,
});
app.post('/api/login', authLimiter, loginHandler);
app.post('/api/register', authLimiter, registerHandler);
import cors from 'cors';
// Strict CORS
app.use(cors({
origin: ['https://example.com', 'https://app.example.com'],
methods: ['GET', 'POST', 'PUT', 'DELETE'],
allowedHeaders: ['Content-Type', 'Authorization'],
credentials: true,
maxAge: 86400, // Cache preflight for 24 hours
}));
// Dynamic origin validation
app.use(cors({
origin: (origin, callback) => {
const allowedOrigins = ['https://example.com'];
if (!origin || allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
}));
res.cookie('session', token, {
httpOnly: true, // No JavaScript access
secure: true, // HTTPS only
sameSite: 'strict', // CSRF protection
maxAge: 900000, // 15 minutes
path: '/',
domain: '.example.com',
});
| Header | Value | Purpose |
|---|---|---|
| X-Frame-Options | DENY | Clickjacking |
| X-Content-Type-Options | nosniff | MIME sniffing |
| Strict-Transport-Security | max-age=31536000 | Force HTTPS |
| Content-Security-Policy | default-src 'self' | XSS |
| Referrer-Policy | strict-origin-when-cross-origin | Privacy |
| Cookie Flag | Purpose |
|---|---|
| httpOnly | No JS access |
| secure | HTTPS only |
| sameSite=strict | CSRF protection |
| maxAge | Expiration |
// React automatically escapes by default
function SafeComponent({ userInput }: { userInput: string }) {
return <div>{userInput}</div>; // Safe - auto-escaped
}
// If you must render HTML, sanitize first
import DOMPurify from 'dompurify';
function HtmlContent({ html }: { html: string }) {
return (
<div
dangerouslySetInnerHTML={{
__html: DOMPurify.sanitize(html)
}}
/>
);
}
import helmet from 'helmet';
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "https://api.example.com"],
fontSrc: ["'self'"],
objectSrc: ["'none'"],
frameSrc: ["'none'"],
upgradeInsecureRequests: [],
},
}));
import DOMPurify from 'dompurify';
// Sanitize HTML
const clean = DOMPurify.sanitize(dirty);
// Sanitize with config
const cleanStrict = DOMPurify.sanitize(dirty, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a'],
ALLOWED_ATTR: ['href'],
});
// Strip all HTML
const textOnly = DOMPurify.sanitize(dirty, { ALLOWED_TAGS: [] });
import csrf from 'csurf';
const csrfProtection = csrf({ cookie: true });
// Add to forms
app.get('/form', csrfProtection, (req, res) => {
res.render('form', { csrfToken: req.csrfToken() });
});
// Validate on submission
app.post('/submit', csrfProtection, (req, res) => {
// Token validated automatically
});
// Set CSRF cookie
res.cookie('csrf', token, {
httpOnly: false, // Must be readable by JS
secure: true,
sameSite: 'strict',
});
// Client sends in header
fetch('/api/action', {
method: 'POST',
headers: {
'X-CSRF-Token': getCookie('csrf'),
},
});
// Server validates
if (req.cookies.csrf !== req.headers['x-csrf-token']) {
return res.status(403).json({ error: 'CSRF validation failed' });
}
// Modern CSRF protection
app.use(session({
cookie: {
httpOnly: true,
secure: true,
sameSite: 'strict', // Or 'lax' for GET requests
},
}));
// Security headers
app.use((req, res, next) => {
// Prevent clickjacking
res.setHeader('X-Frame-Options', 'DENY');
// Prevent MIME sniffing
res.setHeader('X-Content-Type-Options', 'nosniff');
// XSS filter (legacy)
res.setHeader('X-XSS-Protection', '1; mode=block');
// Referrer policy
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
next();
});
| Attack | Prevention |
|---|---|
| Reflected XSS | Output encoding |
| Stored XSS | Input sanitization + encoding |
| DOM XSS | Avoid innerHTML, use textContent |
| CSRF | Tokens + SameSite cookies |
| Header | Purpose |
|---|---|
| CSP | Script/resource restrictions |
| X-Frame-Options | Clickjacking |
| X-Content-Type-Options | MIME sniffing |
| SameSite | CSRF protection |