一键导入
security-best-practices
Security rules for all code in this repo. Use when handling any external input, env vars, auth, API routes, server actions, or dependencies.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Security rules for all code in this repo. Use when handling any external input, env vars, auth, API routes, server actions, or dependencies.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Clean code and structure standards for this repo. Use when writing or refactoring any TypeScript/React code — covers naming, file layout, typing, and testing discipline.
Self-review a change before declaring it finished. Use after implementing any feature or fix, before committing or reporting completion.
Understand the true intent behind a request before writing any code. Use at the start of every non-trivial task, especially vague ones ("make it better", "add a page", "fix the layout").
Next.js 16 App Router best practices for this repo. Use when creating routes, layouts, data fetching, metadata, or anything touching the Next.js framework surface.
UI/UX design standards for this stack (Tailwind v4 + shadcn/ui). Use whenever creating or modifying any page, component, layout, or style — the goal is professional, consistent UI with zero AI slop.
基于 SOC 职业分类
| name | security-best-practices |
| description | Security rules for all code in this repo. Use when handling any external input, env vars, auth, API routes, server actions, or dependencies. |
Every external input is hostile until validated. Every secret leaks unless proven otherwise. Apply these rules to all code — they are not optional hardening for "later."
zod is installed for exactly this. Validate — don't trust — all of:
route.ts) request bodies, params, and search paramslocalStorage, cookies, or URL statesrc/lib/env.ts if the app grows)const CreatePost = z.object({ title: z.string().min(1).max(200) });
const input = CreatePost.parse(await req.json()); // throws on bad input
.env.local (git-ignored). Committed template is .env.example.NEXT_PUBLIC_ prefix = shipped to every browser. Never prefix a secret with it.server-only package import to modules that must never reach the client.dangerouslySetInnerHTML with user-influenced content; if unavoidable,
sanitize with a maintained library first.next.config.ts — keep them when editing config.npm audit after
adding. Fewer dependencies is itself a security feature.httpOnly, secure, sameSite — always.