一键在 Manus 中运行任何 Skill

security-practices

Security patterns and best practices. Use for any security-related work - input validation, authentication, authorization, secrets management, Docker security. Contains learned security preferences and requirements.

在 Manus 中运行

概览

安装命令

npx skills add https://github.com/jerryagenyi/my-ai-toolkit --skill security-practices

复制此命令并粘贴到 Claude Code 中以安装该技能

来源

jerryagenyi/my-ai-toolkit

星标0

分支0

更新时间2026年1月6日 20:27

SKILL.md

readonly

name	Security Practices
description	Security patterns and best practices. Use for any security-related work - input validation, authentication, authorization, secrets management, Docker security. Contains learned security preferences and requirements.

Security Practices

Security patterns and best practices. Updated by the Reflect skill.

Last Updated

2025-01-28

Input Validation

General Rules

NEVER trust user input
Validate on both client AND server
Sanitize output to prevent XSS
Use parameterized queries to prevent SQL injection

Laravel Validation

// Use Form Request classes
class StoreUserRequest extends FormRequest
{
    public function rules(): array
    {
        return [
            'email' => 'required|email|unique:users',
            'password' => 'required|min:8|confirmed',
        ];
    }
}

TypeScript Validation

// Use zod or similar for runtime validation
import { z } from 'zod'

const userSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
})

Authentication

Laravel

// Always check authentication
public function __construct()
{
    $this->middleware('auth');
}

// Use Gates/Policies for authorization
Gate::authorize('update', $user);

Next.js

// Middleware for route protection
export async function middleware(request: NextRequest) {
  const token = request.cookies.get('token')
  if (!token) return NextResponse.redirect('/login')
}

Secrets Management

Rules

Never commit secrets to Git
Use environment variables: ${SECRET_NAME}
Add .env files to .gitignore

Laravel

// Use env() with default values
$apiKey = env('API_KEY', 'default-value');

// Never use env() in production config (use config:cache)
config('services.api.key')

Next.js

// Server-side: use process.env
const apiKey = process.env.API_KEY

// Client-side: use NEXT_PUBLIC_ prefix
const publicUrl = process.env.NEXT_PUBLIC_API_URL

Docker Security

Mandatory Requirements

Non-Root Users
```
user: "1000:1000"  # Run as non-root
```

Security Options

security_opt:
  - no-new-privileges:true

No Hardcoded Secrets

environment:
  - DB_PASSWORD=${DB_PASSWORD}  # From .env

Resource Limits

deploy:
  resources:
    limits:
      cpus: '2'
      memory: 1G

Security Scanning

Trivy (Recommended):

# Scan image
trivy image <image-name>

# Scan with severity filter
trivy image --severity HIGH,CRITICAL <image-name>

Docker Scout:

docker scout cves <image-name>

Common Vulnerabilities

SQL Injection

// ❌ BAD
DB::select("SELECT * FROM users WHERE id = $id");

// ✅ GOOD
DB::select('SELECT * FROM users WHERE id = ?', [$id]);
// Or
User::where('id', $id)->first();

XSS

<!-- ❌ BAD -->
<div v-html="userInput"></div>

<!-- ✅ GOOD -->
<div>{{ userInput }}</div>

CSRF

// Laravel: CSRF token is automatic in forms
@csrf

// Or include in AJAX headers
<meta name="csrf-token" content="{{ csrf_token() }}">

Learned Patterns

This section grows as the Reflect skill learns from sessions

Session 2025-01-28

Learned: Always validate on server, never trust client validation
Learned: Use prepared statements, never concatenate SQL
Learned: Sanitize all user input before display

同仓库更多 Skills

同仓库

api-design

jerryagenyi/my-ai-toolkit

API design patterns and REST conventions. Use for any API work - endpoint design, response formats, error handling, pagination, status codes. Contains learned preferences for Laravel and Next.js API patterns.

2026-01-060

code-style

jerryagenyi/my-ai-toolkit

Coding conventions and style preferences. Use for any code generation - TypeScript, JavaScript, PHP, naming conventions, async patterns, testing patterns. Contains learned preferences for Laravel/PHP and Vue/Next.js/TypeScript.

2026-01-060

reflect

jerryagenyi/my-ai-toolkit

Analyze the conversation for corrections, approvals, and patterns. Update project skills with learned preferences. Use this when the user says "reflect" or after sessions with explicit feedback/corrections. Automatically extracts learning signals and updates skill files.

2026-01-060

ui-conventions

jerryagenyi/my-ai-toolkit

UI/UX patterns and conventions for this project. Use for any frontend work - components, layouts, styling, notifications, forms. Contains learned preferences for Quasar/Vue or Next.js/React patterns.

2026-01-060

来源

jerryagenyi

jerryagenyi/my-ai-toolkit

打开 GitHub 仓库查看创作者相关仓库

安装命令

下载

在 Manus 中运行

适用职业SOC

信息安全分析师计算机与数学类职业15-1212L4

name	Security Practices
description	Security patterns and best practices. Use for any security-related work - input validation, authentication, authorization, secrets management, Docker security. Contains learned security preferences and requirements.

Security Practices

Security patterns and best practices. Updated by the Reflect skill.

Last Updated

2025-01-28

Input Validation

General Rules

NEVER trust user input
Validate on both client AND server
Sanitize output to prevent XSS
Use parameterized queries to prevent SQL injection

Laravel Validation

// Use Form Request classes
class StoreUserRequest extends FormRequest
{
    public function rules(): array
    {
        return [
            'email' => 'required|email|unique:users',
            'password' => 'required|min:8|confirmed',
        ];
    }
}

TypeScript Validation

// Use zod or similar for runtime validation
import { z } from 'zod'

const userSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
})

Authentication

Laravel

// Always check authentication
public function __construct()
{
    $this->middleware('auth');
}

// Use Gates/Policies for authorization
Gate::authorize('update', $user);

Next.js

// Middleware for route protection
export async function middleware(request: NextRequest) {
  const token = request.cookies.get('token')
  if (!token) return NextResponse.redirect('/login')
}

Secrets Management

Rules

Never commit secrets to Git
Use environment variables: ${SECRET_NAME}
Add .env files to .gitignore

Laravel

// Use env() with default values
$apiKey = env('API_KEY', 'default-value');

// Never use env() in production config (use config:cache)
config('services.api.key')

Next.js

// Server-side: use process.env
const apiKey = process.env.API_KEY

// Client-side: use NEXT_PUBLIC_ prefix
const publicUrl = process.env.NEXT_PUBLIC_API_URL

Docker Security

Mandatory Requirements

Non-Root Users
```
user: "1000:1000"  # Run as non-root
```

Security Options

security_opt:
  - no-new-privileges:true

No Hardcoded Secrets

environment:
  - DB_PASSWORD=${DB_PASSWORD}  # From .env

Resource Limits

deploy:
  resources:
    limits:
      cpus: '2'
      memory: 1G

Security Scanning

Trivy (Recommended):

# Scan image
trivy image <image-name>

# Scan with severity filter
trivy image --severity HIGH,CRITICAL <image-name>

Docker Scout:

docker scout cves <image-name>

Common Vulnerabilities

SQL Injection

// ❌ BAD
DB::select("SELECT * FROM users WHERE id = $id");

// ✅ GOOD
DB::select('SELECT * FROM users WHERE id = ?', [$id]);
// Or
User::where('id', $id)->first();

XSS

<!-- ❌ BAD -->
<div v-html="userInput"></div>

<!-- ✅ GOOD -->
<div>{{ userInput }}</div>

CSRF

// Laravel: CSRF token is automatic in forms
@csrf

// Or include in AJAX headers
<meta name="csrf-token" content="{{ csrf_token() }}">

Learned Patterns

This section grows as the Reflect skill learns from sessions

Session 2025-01-28

Learned: Always validate on server, never trust client validation
Learned: Use prepared statements, never concatenate SQL
Learned: Sanitize all user input before display