一键导入
security
Project-wide security rules for handling untrusted input, secrets, and database access.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Project-wide security rules for handling untrusted input, secrets, and database access.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Pull request review checklist for the team.
Python code style, typing, and project conventions.
Database safety rules for the data-access layer.
Testing conventions for the project — pytest, fixtures, integration vs unit.
基于 SOC 职业分类
| name | security |
| description | Project-wide security rules for handling untrusted input, secrets, and database access. |
Always use parameterized queries for every database access. Never concatenate user-provided strings into SQL statements directly. This includes dynamic WHERE clauses, ORDER BY clauses, and table names.
Validate and sanitize all user-provided data at the system boundary before it enters business logic. Reject inputs that do not match the expected shape, range, or type. Prefer allowlists over denylists for structured validation rules wherever possible.
Secrets must never be committed to the repository under any circumstance. Use environment variables, a secrets manager, or a vault. Rotate any leaked credentials immediately and audit access logs after any disclosure event.
Never log secrets, personally identifiable information, or full request or response bodies. Scrub sensitive fields at the logging boundary using a structured logger. Use structured logging consistently across all services.
Use well-audited authentication libraries; do not roll your own crypto. Rotate signing keys on a regular schedule. Expire idle sessions after a reasonable inactivity timeout.
Treat any data that crossed a network or process boundary as untrusted until proven otherwise. Apply the same scrutiny to data from other internal services as you would to data from the public internet. The threat model assumes lateral movement; act accordingly across every service-to-service hop in the system.