travisjneuman

application-security

OWASP Top 10 with code examples, SAST/DAST tools, dependency scanning, CSP headers, and input validation patterns. Use when hardening applications, reviewing security posture, or implementing defensive coding practices.

travisjneuman 59 13 Updated 3mo ago
GitHub

Install

npx skillscat add travisjneuman/claude/application-security

Install via the SkillsCat registry.

SKILL.md

Application Security Skill

Secure coding patterns, vulnerability prevention, and security tooling for web applications.

OWASP Top 10 (2021) with Code Examples

A01: Broken Access Control

// BAD - No authorization check
app.get('/api/users/:id', async (req, res) => {
  const user = await db.user.findUnique({ where: { id: req.params.id } });
  res.json(user);
});

// GOOD - Verify ownership or role
app.get('/api/users/:id', authenticate, async (req, res) => {
  if (req.user.id !== req.params.id && req.user.role !== 'ADMIN') {
    return res.status(403).json({ error: 'Forbidden' });
  }
  const user = await db.user.findUnique({ where: { id: req.params.id } });
  res.json(user);
});

A02: Cryptographic Failures

// BAD - Weak hashing
import crypto from 'crypto';
const hash = crypto.createHash('md5').update(password).digest('hex');

// GOOD - Use bcrypt with proper rounds
import bcrypt from 'bcrypt';
const hash = await bcrypt.hash(password, 12);
const isValid = await bcrypt.compare(password, hash);

A03: Injection

// BAD - SQL injection
const query = `SELECT * FROM users WHERE email = '${email}'`;

// GOOD - Parameterized queries (Prisma handles this automatically)
const user = await prisma.user.findUnique({ where: { email } });

// GOOD - Parameterized raw SQL when needed
const users = await prisma.$queryRaw`SELECT * FROM users WHERE email = ${email}`;

A07: Cross-Site Scripting (XSS)

// BAD - Rendering raw HTML
element.innerHTML = userInput;

// GOOD - Use textContent or framework escaping
element.textContent = userInput;

// GOOD - React auto-escapes by default
return <div>{userInput}</div>;

// BAD in React - dangerouslySetInnerHTML
return <div dangerouslySetInnerHTML={{ __html: userInput }} />;

Content Security Policy (CSP)

Recommended Headers

// Next.js middleware
import { NextResponse } from 'next/server';

export function middleware(request: Request) {
  const nonce = crypto.randomUUID();
  const csp = [
    `default-src 'self'`,
    `script-src 'self' 'nonce-${nonce}'`,
    `style-src 'self' 'unsafe-inline'`,
    `img-src 'self' data: https:`,
    `font-src 'self'`,
    `connect-src 'self' https://api.example.com`,
    `frame-ancestors 'none'`,
    `base-uri 'self'`,
    `form-action 'self'`,
  ].join('; ');

  const response = NextResponse.next();
  response.headers.set('Content-Security-Policy', csp);
  response.headers.set('X-Content-Type-Options', 'nosniff');
  response.headers.set('X-Frame-Options', 'DENY');
  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
  response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
  return response;
}

SAST/DAST Tooling

Static Analysis (SAST)

Tool Language Usage
ESLint security plugins JS/TS eslint-plugin-security, @microsoft/eslint-plugin-sdl
Semgrep Multi semgrep --config=auto .
Bandit Python bandit -r src/
gosec Go gosec ./...
cargo-audit Rust cargo audit

Dynamic Analysis (DAST)

Tool Purpose Usage
OWASP ZAP Web app scanning Proxy-based scanner, API scan mode
Nuclei Vulnerability scanning Template-based scanner
Burp Suite Manual + automated Professional penetration testing

Dependency Scanning

# Node.js
npm audit
npm audit fix

# Python
pip-audit
safety check

# Go
govulncheck ./...

# Rust
cargo audit

Input Validation Patterns

Server-Side Validation (Always Required)

import { z } from 'zod';

const CreateUserSchema = z.object({
  email: z.string().email().max(255),
  name: z.string().min(1).max(100).regex(/^[a-zA-Z\s'-]+$/),
  age: z.number().int().min(0).max(150).optional(),
});

function createUser(input: unknown) {
  const validated = CreateUserSchema.parse(input);
  // validated is now typed and safe
}

Rate Limiting

import rateLimit from 'express-rate-limit';

const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // 5 attempts per window
  message: 'Too many login attempts, please try again later',
  standardHeaders: true,
  legacyHeaders: false,
});

app.use('/api/auth/login', authLimiter);

Security Checklist

  • All user input validated server-side
  • Parameterized queries for all database operations
  • CSP headers configured
  • Rate limiting on auth endpoints
  • CORS properly restricted
  • Secrets in environment variables, not code
  • Dependencies scanned for vulnerabilities
  • Authentication tokens in httpOnly cookies
  • HTTPS enforced in production
  • Error messages don't leak internal details

Related Resources

  • ~/.claude/rules/checklists/security-hardening.md - Security hardening checklist
  • ~/.claude/agents/security-auditor.md - Security audit agent
  • ~/.claude/skills/authentication-patterns/SKILL.md - Auth patterns

Secure by default. Validate at boundaries. Defense in depth.

Categories

Code Review Security Types
GitHub

Install

npx skillscat add travisjneuman/claude/application-security

Install via the SkillsCat registry.

Recommended Skills

melodic-software
audit-skills by melodic-software
76 3mo ago
cisco-ai-defense
config-analyzer by cisco-ai-defense
2.1K 4mo ago
mukul975
analyzing-heap-spray-exploitation by mukul975
13.6K 1mo ago
NousResearch
code-review by NousResearch
177.2K 2mo ago
nyldn
skill-validate by nyldn
3.5K 3mo ago
team-telnyx
telnyx-account-java by team-telnyx
176 3mo ago