// App security: OWASP, authN/authZ, input validation, secrets, TLS, CSRF/XSS/SQLi, JWT, CSP. Triggers: security, OWASP, auth, JWT, CSRF, XSS, SQL injection, secrets, TLS, CSP, CORS.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | security-patterns |
| description | App security: OWASP, authN/authZ, input validation, secrets, TLS, CSRF/XSS/SQLi, JWT, CSP. Triggers: security, OWASP, auth, JWT, CSRF, XSS, SQL injection, secrets, TLS, CSP, CORS. |
| effort | medium |
| user-invocable | false |
| allowed-tools | Read |
| Risk | Prevention |
|---|---|
| Injection | Parameterized queries, ORM |
| Broken Auth | MFA, secure sessions |
| Sensitive Data | Encryption, HTTPS |
| XXE | Disable external entities |
| Broken Access | RBAC, resource validation |
| Security Misconfig | Security headers, defaults |
| XSS | Escaping, CSP |
| Insecure Deserialization | Signed tokens, validation |
| Vulnerable Components | Dependency scanning |
| Insufficient Logging | Audit logs, monitoring |
# FastAPI middleware
@app.middleware("http")
async def security_headers(request, call_next):
response = await call_next(request)
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["X-Frame-Options"] = "DENY"
response.headers["X-XSS-Protection"] = "1; mode=block"
response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
response.headers["Content-Security-Policy"] = "default-src 'self'"
return response
# .env (never commit)
DATABASE_URL=postgresql://...
API_SECRET=...
# .env.example (commit this)
DATABASE_URL=postgresql://user:pass@localhost/db
API_SECRET=your-secret-here
# pre-commit hook
- repo: https://github.com/Yelp/detect-secrets
hooks:
- id: detect-secrets
from slowapi import Limiter
from slowapi.util import get_remote_address
limiter = Limiter(key_func=get_remote_address)
@app.get("/api/resource")
@limiter.limit("100/minute")
async def resource():
pass
| Excuse | Why It's Wrong |
|---|---|
| "It's an internal API, security doesn't matter" | Internal APIs get exposed — lateral movement is attackers' primary technique |
| "The framework handles security" | Frameworks provide tools, not guarantees — misconfiguration is OWASP #5 |
| "We'll add auth later" | Unauthenticated endpoints in production get discovered within hours |
| "Nobody would exploit this" | Automated scanners don't care about your threat model — they scan everything |
| "It's behind a VPN" | VPNs are perimeter defense — zero trust assumes breach already happened |
For authentication patterns (JWT, passwords, token strategy), see reference/authentication.md.
For authorization patterns (RBAC, ABAC), see reference/authorization.md.
For input validation patterns (SQL injection, XSS, Pydantic), see reference/input-validation.md.
For OAuth2 flows, CSRF protection, and audit logging, see reference/oauth-csrf-audit.md.
none algorithm are valid-looking tokens with no signature. Libraries that trust the alg header field accept them — always validate alg against an allowlist, never use the token's own declaration.bcrypt has a 72-byte password length cap; longer passwords are silently truncated, making "UniqueLongPassword..." collide with "UniqueLong...". Pre-hash with SHA-256 before bcrypt for >72 char passwords.SameSite=Lax cookies are sent on top-level navigations (including POST from a malicious site) in some browsers. CSRF protection requires either SameSite=Strict or explicit CSRF tokens; relying on Lax alone is insufficient for state-changing endpoints.Content-Security-Policy with unsafe-inline allows any inline script to run — negating most of CSP's value. Remove unsafe-inline and refactor to external scripts, even if it means extra files.printenv in debug endpoints, /proc/<pid>/environ on Linux, and process listings. Prefer mounting secrets as files (Docker secrets, Kubernetes secrets) for defense in depth./cve-scan/hipaa-validatesecurity-architect agentsecurity-auditor agent/content-moderation-patterns