一键导入
security-practices
Security practices for enterprise applications. Spring Security, parameterized queries, input validation, secret management, OWASP Top 10.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Security practices for enterprise applications. Spring Security, parameterized queries, input validation, secret management, OWASP Top 10.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Planning Mode skill for guided execution of large tasks. Provides structured task decomposition, user confirmation, per-task verification, retry logic, and quality summary.
Git 工作流 — 版本控制、提交规范、分支管理、.gitignore 治理
Structured bug diagnosis and repair workflow using the 5-Whys root cause analysis method. Ensures fixes include tests, documentation, and knowledge capture.
Generates structured documents including architecture diagrams (Mermaid), usage manuals, progress reports, and API documentation from code analysis.
Extracts reusable patterns and lessons from execution history and project experience. Generates structured knowledge entries for the knowledge base.
Evaluates project progress by analyzing workspace structure, code completeness, and comparing against planned milestones. Outputs structured progress reports.
| name | security-practices |
| description | Security practices for enterprise applications. Spring Security, parameterized queries, input validation, secret management, OWASP Top 10. |
| trigger | when working with authentication, authorization, input validation, or security configuration |
| tags | ["security","spring-security","owasp","authentication","authorization"] |
| version | 2.0 |
| scope | platform |
| category | foundation |
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain = http
.csrf { it.disable() } // disable for API-only services
.sessionManagement { it.sessionCreationPolicy(SessionCreationPolicy.STATELESS) }
.authorizeHttpRequests {
it.requestMatchers("/actuator/health/**").permitAll()
it.requestMatchers("/api/v1/**").authenticated()
it.anyRequest().denyAll()
}
.oauth2ResourceServer { it.jwt { } }
.build()
}
// GOOD — parameterized
@Query("SELECT o FROM Order o WHERE o.customerId = :customerId")
fun findByCustomerId(@Param("customerId") customerId: String): List<Order>
// NEVER — string concatenation (SQL injection!)
"SELECT * FROM orders WHERE customer_id = '$customerId'" // FATAL SECURITY BUG
data class CreateOrderRequest(
@field:NotBlank val customerId: String,
@field:NotEmpty val items: List<@Valid OrderItemRequest>,
@field:Size(max = 500) val notes: String? = null
)
@PostMapping("/orders")
fun createOrder(@Valid @RequestBody request: CreateOrderRequest): ResponseEntity<Order> { ... }
${DB_PASSWORD}, ${API_KEY}@ConfigurationProperties to bind env vars.gitignore all .env, *.key, *.pem, credentials.json files