// Apply security best practices when writing, reviewing, or discussing code. Covers authentication, injection prevention, API security, input validation, infrastructure, and AI/LLM security for Python, Go, JS/TS, React, PHP, Node.js.
| name | application-security |
| description | Apply security best practices when writing, reviewing, or discussing code. Covers authentication, injection prevention, API security, input validation, infrastructure, and AI/LLM security for Python, Go, JS/TS, React, PHP, Node.js. |
This skill provides comprehensive security guidance for application development, synthesized from OWASP security cheat sheets covering 78 security topics.
Activate this skill when:
// SECURITY: or # SECURITY: comments to explain why specific patterns are usedeval() or dynamic code execution with user inputdangerouslySetInnerHTML (React) or equivalent without sanitizationWhen generating code, add inline comments like:
# SECURITY: Using parameterized query to prevent SQL injection
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
// SECURITY: Escaping HTML to prevent XSS
const safeContent = DOMPurify.sanitize(userInput);
// SECURITY: Using filepath.Clean to prevent path traversal
cleanPath := filepath.Clean(userInput)
After generating significant code, provide:
## Security Checklist
- [ ] Input validation implemented
- [ ] Output encoding applied
- [ ] Authentication/authorization checked
- [ ] Sensitive data protected
- [ ] Error handling doesn't leak info
- [ ] Logging implemented (no sensitive data)
For detailed patterns and examples, see:
resources/authentication.md - Auth flows, passwords, MFA, sessions, authorization, OAuth2resources/injection-prevention.md - SQL injection, XSS, CSRF, command injection, clickjackingresources/api-security.md - REST, GraphQL, gRPC, WebSocket, microservices securityresources/input-validation.md - File uploads, deserialization, SSRF, XXE preventionresources/infrastructure.md - Docker, Kubernetes, cloud, CI/CD, supply chain securityresources/ai-llm-security.md - Prompt injection, AI agent security, model opsresources/cryptography-secrets.md - Encryption, TLS, HTTP headers, secrets managementresources/secure-development.md - Code review, threat modeling, logging, error handlingresources/framework-specific.md - Node.js, Django, Laravel, Rails, PHP securityScores a Razorpay service repo against the Agentic SDLC Scorecard across three pillars — Context (C1–C4), Testing (T1–T4), CI/CD (D1–D4) — and outputs a band per pillar plus an aggregate score. Use when assessing how agent-ready a service is or tracking progress across teams.
Analyze alert coverage for Razorpay services by discovering multi-source monitoring (Prometheus, CloudWatch RDS, Performance Insights, Coralogix logs), scanning application metrics, and identifying missing business-critical metrics. Leverages repo skill Observability/Monitoring sections (when available) and verifies existing coverage with user before recommendations. Use when the user asks to analyze alert coverage, check for missing alerts, audit monitoring completeness, add metrics and alerts for a service, or improve observability. Only works with Razorpay repositories.
Analyzes API endpoints in Go codebases and generates comprehensive flow visualizations (both Mermaid charts and ASCII diagrams) showing the complete request execution path, including handlers, middleware, services, database queries, external HTTP APIs, cache operations, message queues, and all other components. Use when the user asks to visualize an API endpoint, see the flow of an API, understand how an API works, trace an API request, or map out API dependencies. Triggers on requests like "show me the flow for POST /users/create", "visualize the /orders endpoint", "trace the API call for account creation", or "map out what services are used by this endpoint".
Use when creating, updating, or reviewing baseline Prometheus alert rules for a Razorpay microservice. Triggered by requests like 'add baseline alerts for X service', 'set up monitoring alerts', 'create baseline alerting for my service'.
Index of baseline metric families for Razorpay services. Use it to determine which standard metrics must exist for HTTP, gRPC, workers, egress, outbox, Go runtime, and relevant infra components.
Generates ready-to-run cURL commands from any codebase (Go, Laravel, Express, Fastify, or other frameworks). Scans route definitions to auto-generate commands, or builds them from user-described endpoints. Includes proper headers, authentication, request bodies with realistic sample data, and environment support (devstack/prod). Use when users ask to "generate curl", "create curl commands", "curl examples for this API", "test this endpoint", or "generate API commands".
