Menu
Validate input, secure auth tokens, and prevent injection attacks in TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration.
Standardize BRD and BRD-lite discovery for business goals, stakeholder impact, current-to-future state, and measurable value outcomes. Use when creating BRD, business case, project justification, ROI narrative, or AS-IS to TO-BE scope.
Standardize PRD discovery and drafting for product scope, user outcomes, requirement IDs, and acceptance criteria. Use when creating PRD, product requirements, feature specification, or acceptance criteria plan.
Standardize SRS and FRS specifications for technical behavior, interfaces, data contracts, quality constraints, and verification mapping. Use when writing SRS, functional specification, system behavior requirements, API/data contracts, or non-functional thresholds.
Clarify a rough product or engineering idea into a BRD-lite brief (Why) with measurable business value.
Turn an approved PRD or implementation goal into SRS/FRS technical requirements (How), architecture, contracts, and verification decisions.
Plan a feature from BRD-lite brief or clear intent into PRD (What), decisions, implementation plan, and task slices.
| name | typescript-security |
| description | Validate input, secure auth tokens, and prevent injection attacks in TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration. |
| metadata | {"triggers":{"files":["**/*.ts","**/*.tsx"],"keywords":["validate","sanitize","xss","injection","auth","password","secret","token"]}} |
Zod, Joi, or class-validator at API boundary. Always parse and validate user-controlled input before using. Use safeParse for error handling without throwing. Return 400 with structured errors on failure.See references/REFERENCE.md for Zod validation schemas, secure cookie setup, and JWT auth patterns.
DOMPurify for HTML sanitization to prevent Cross-Site Scripting (XSS).pool.query('... WHERE id = $1', [id])) or Type-safe ORMs (Prisma/TypeORM). Use Prisma.sql for raw queries.user-controlled input before using it in file paths or OS commands (Command Injection).Argon2id for password hashing. Implement JWT (via jsonwebtoken or jose) with HttpOnly and Secure cookies. Use RS256 for public/private key pairs and implement Refresh Token rotation..env (e.g., JWT_SECRET) or Secret Managers. NEVER commit them to Git.CORS with Strict Origin Whitelisting. Avoid origin: '*'.crypto (Node.js) or Web Crypto API for sensitive data. Avoid legacy algorithms like MD5/SHA1.After typing validation schemas (Zod/joi) or auth guards, call getDiagnostics (typescript-lsp) to confirm type narrowing correct before finalizing.
eval, Function constructor, or string literals as timer callbacks — all execute runtime code and bypass TypeScript's type system.execSync(\cmd ${userInput}`)or interpolate environment variables / config values intoexecSync/spawnSyncstrings. Shell metacharacters cause **command injection (OWASP A03)**. UseexecFileSync('git', ['arg1', arg2])` with a static command + separate args array instead.FEEDBACK_API_URL), validate it against an allowed-origin allowlist before calling fetch() / axios.See references/REFERENCE.md for Zod validation, secure cookie setup, JWT auth, security headers, and RBAC patterns.