dtsong/web-security-hardening
skills/web-security-hardening/SKILL.md
Security audit checklist for web applications. Use when reviewing, auditing, or hardening a web app's security posture. Covers rate limiting, auth headers, IP blocking, CORS, security middleware, input validation, file upload limits, ORM usage, and password hashing. Triggers on requests like "review security", "harden this app", "security audit", "check for vulnerabilities", or when building/reviewing API endpoints.
$ install --global
skillsauthnpx skillsauth add dtsong/my-claude-setup web-security-hardeningInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 28, 2026, 4:36 AM118.8s6 files scanned
SKILL.md
- name:
- web-security-hardening
- description:
- Security audit checklist for web applications. Use when reviewing, auditing, or hardening a web app's security posture. Covers rate limiting, auth headers, IP blocking, CORS, security middleware, input validation, file upload limits, ORM usage, and password hashing. Triggers on requests like "review security", "harden this app", "security audit", "check for vulnerabilities", or when building/reviewing API endpoints.
Web Security Hardening
Security audit checklist for web applications. Run through each item when reviewing or building web apps.
Audit Workflow
- Identify the framework (Node.js/Express, Python/Django/Flask, etc.)
- Review each checklist item below
- For implementation details, see framework-specific references:
- Node.js/Express: See references/nodejs.md
- Python/Django/Flask: See references/python.md
- For production deployments, see references/production-gcp.md for extended checklist covering:
- GCP infrastructure (IAM, networking, secrets)
- CI/CD pipeline security
- Monitoring & incident response
- Report findings with severity and remediation steps
Security Checklist
1. Rate Limiting
Risk: DoS attacks, brute force attempts, API abuse
Check for:
- Per-endpoint rate limits (stricter on auth endpoints)
- Rate limit headers in responses (
X-RateLimit-*) - Appropriate limits for different user tiers
2. Security & Authorization Headers
Risk: XSS, clickjacking, MIME sniffing, info leakage
Required headers:
Strict-Transport-Security(HSTS)X-Content-Type-Options: nosniffX-Frame-Options: DENYorSAMEORIGINContent-Security-PolicyAuthorizationheader validation on protected routes
3. IP Block List (Public APIs)
Risk: Abuse from known bad actors, bot traffic
Check for:
- IP-based blocking mechanism
- Integration with threat intelligence feeds (optional)
- Logging of blocked requests
4. CORS Configuration
Risk: Unauthorized cross-origin requests, data theft
Check for:
- Explicit origin whitelist (not
*in production) - Appropriate methods and headers allowed
- Credentials handling if needed
5. Security Middleware
Risk: Common web vulnerabilities
Check for framework-appropriate middleware:
- Node.js:
helmet - Python:
django-secure,flask-talisman - Sets multiple security headers automatically
6. Input Validation
Risk: Injection attacks, data corruption, XSS
Check for:
- Frontend validation (UX, not security)
- Backend validation (required for security)
- Schema validation libraries (Zod, Joi, Pydantic, etc.)
- Sanitization of user input before storage/display
7. File Upload Limits
Risk: Storage exhaustion, malicious file uploads
Check for:
- Max file size limits
- Allowed file type restrictions (MIME + extension)
- File content validation (magic bytes)
- Secure storage location (outside webroot)
8. ORM for Database Access
Risk: SQL injection
Check for:
- Parameterized queries (never string concatenation)
- ORM usage (Prisma, Sequelize, SQLAlchemy, Django ORM)
- If raw SQL needed: prepared statements only
9. Password Hashing
Risk: Credential theft, rainbow table attacks
Check for:
- Strong algorithm: bcrypt, Argon2, or scrypt
- Appropriate cost factor (bcrypt rounds ≥10)
- No MD5, SHA1, or plain SHA256 for passwords
- No plaintext password storage or logging
Gotchas
- CORS
credentials: true+origin: '*'fails silently in browsers — must specify explicit origin when using credentials helmet()defaults changed between v4 and v5 — CSP is no longer set by default in v5, must configure explicitly- CSP
unsafe-inlinenegates most XSS protection — if you need inline scripts, use nonces or hashes instead express.json()withoutlimitaccepts arbitrarily large payloads — always setlimit: '1mb'or similarhttpOnlycookies prevent XSS token theft but NOT CSRF — still need CSRF tokens or SameSite=Strict- Rate limiting per IP fails behind reverse proxies — must set
trust proxyand useX-Forwarded-For bcryptsilently truncates passwords at 72 bytes — use Argon2 for long passphrases or pre-hash with SHA-256
// WRONG: credentials with wildcard origin (silently fails)
app.use(cors({ origin: '*', credentials: true }));
// RIGHT: explicit origin
app.use(cors({ origin: 'https://app.example.com', credentials: true }));
// WRONG: helmet v5 without CSP (no longer set by default)
app.use(helmet());
// RIGHT: explicit CSP
app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"] } } }));
Audit Report Format
## Security Audit: [App Name]
### Summary
- **Items Passing**: X/9
- **Critical Issues**: X
- **Recommendations**: X
### Findings
#### [Item Name] - [PASS/FAIL/PARTIAL]
**Severity**: Critical/High/Medium/Low
**Finding**: [Description]
**Location**: [File/endpoint]
**Remediation**: [Steps to fix]
Related Skills
dtsong/workflow
development
VerifiedTrustedCommunity
Use when planning implementation steps, deciding commit format, or structuring development approach. Provides brainstorm-plan-implement flow with conventional commits. Triggers on 'how should I approach this', 'commit format'.
4SKILL.mdUpdated Apr 28, 2026
dtsong/web-design-guidelines
development
VerifiedTrustedCommunity
Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".
4SKILL.mdUpdated Apr 28, 2026
dtsong/vercel-react-best-practices
development
VerifiedTrustedCommunity
React and Next.js performance optimization guidelines from Vercel Engineering. This skill should be used when writing, reviewing, or refactoring React/Next.js code to ensure optimal performance patterns. Triggers on tasks involving React components, Next.js pages, data fetching, bundle optimization, or performance improvements.
4SKILL.mdUpdated Apr 28, 2026
dtsong/Prompt Wizard
development
VerifiedTrustedCommunity
Interactive wizard to craft effective prompts using Claude Code best practices
4SKILL.mdUpdated Apr 28, 2026