Menu
Application security covering input validation, auth, headers, secrets management, and dependency auditing
| name | security-hardening |
| description | Application security covering input validation, auth, headers, secrets management, and dependency auditing |
Validate all input at the boundary. Never trust client-side validation alone.
import { z } from 'zod';
const CreateUserSchema = z.object({
email: z.string().email().max(255),
name: z.string().min(1).max(100).regex(/^[a-zA-Z\s'-]+$/),
age: z.number().int().min(13).max(150),
});
function createUser(req: Request) {
const result = CreateUserSchema.safeParse(req.body);
if (!result.success) {
return { status: 400, errors: result.error.flatten().fieldErrors };
}
// result.data is typed and validated
}
Rules:
// Prevent XSS: encode output based on context
// HTML context: use framework auto-escaping (React does this by default)
// Never use dangerouslySetInnerHTML with user input
// URL context: encode parameters
const safeUrl = `/search?q=${encodeURIComponent(userInput)}`;
// JSON context: use JSON.stringify (handles escaping)
const safeJson = JSON.stringify({ query: userInput });
Never construct HTML strings with user input. Use templating engines with auto-escaping enabled.
# NEVER do this
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# Always use parameterized queries
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
// NEVER do this
db.query(`SELECT * FROM users WHERE email = '${email}'`);
// Always use parameterized queries
db.query("SELECT * FROM users WHERE email = $1", [email]);
Use an ORM or query builder. If writing raw SQL, always parameterize.
// Server: generate and validate CSRF tokens
import { randomBytes } from 'crypto';
function generateCsrfToken(): string {
return randomBytes(32).toString('hex');
}
// Middleware: validate on state-changing requests
function csrfMiddleware(req, res, next) {
if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)) {
const token = req.headers['x-csrf-token'] || req.body._csrf;
if (!timingSafeEqual(token, req.session.csrfToken)) {
return res.status(403).json({ error: 'Invalid CSRF token' });
}
}
next();
}
For APIs with token-based auth (Bearer tokens), CSRF is not needed since the token is not auto-sent by browsers.
Content-Security-Policy:
default-src 'self';
script-src 'self' 'nonce-{random}';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self';
connect-src 'self' https://api.example.com;
frame-ancestors 'none';
base-uri 'self';
form-action 'self';
Start strict, relax as needed. Use nonce for inline scripts instead of unsafe-inline. Report violations with report-uri directive. Test with Content-Security-Policy-Report-Only first.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Set these on every response. Use helmet (Node.js) or equivalent middleware.
// Per-user, per-endpoint rate limiting
const rateLimits = {
'POST /auth/login': { window: '15m', max: 5 },
'POST /auth/register': { window: '1h', max: 3 },
'POST /api/*': { window: '1m', max: 60 },
'GET /api/*': { window: '1m', max: 120 },
};
Use sliding window algorithm. Store counters in Redis. Return 429 with Retry-After header. Apply stricter limits to authentication endpoints.
iss, aud, exp, and nbf claims on every request// Verify JWT with all checks
const payload = jwt.verify(token, publicKey, {
algorithms: ['RS256'],
issuer: 'auth.example.com',
audience: 'api.example.com',
clockTolerance: 30,
});
.gitignore for .env)trufflehog, gitleaks, git-secrets# Check for secrets in git history
gitleaks detect --source . --verbose
# Pre-commit hook to prevent secret commits
gitleaks protect --staged
# Node.js
npm audit --production
npx better-npm-audit audit --level=high
# Python
pip-audit
safety check
# Go
govulncheck ./...
Run dependency audits in CI on every PR. Block merges on critical/high vulnerabilities. Pin dependency versions. Update dependencies weekly with automated PRs (Dependabot, Renovate).
Route broad or ambiguous AgentKit SEO work to the right module while keeping context scoped. Use when a request spans multiple surfaces, asks for overall digital-presence strategy, involves provider or install architecture, needs agent-context planning, or the correct platform skill is unclear.
Persistent memory system for Claude Code. Two-layer architecture (hot cache + knowledge wiki), safety hooks, /close-day end-of-day synthesis. Zero external dependencies.
Claude-native deep research using DAG-based query planning, parallel subagent execution, and gap-driven iteration. No external API needed.
Web accessibility patterns for WCAG 2.2 compliance including ARIA, keyboard navigation, screen readers, and testing
Authentication and authorization patterns including OAuth2, JWT, RBAC, session management, and PKCE flows
AWS cloud patterns for Lambda, ECS, S3, DynamoDB, and Infrastructure as Code with CDK/Terraform