hjemmesidekongen/web-security-owasp
plugins/smedjen/skills/web-security-owasp/SKILL.md
XSS, CSRF, injection attacks, SSRF, security headers, and web application security hardening. Covers reflected/stored/DOM-based XSS, token-based CSRF defense, parameterized queries, SSRF allowlists, and the full security header stack with recommended values.
development
Updated Apr 5, 2026
$ install --global
skillsauthnpx skillsauth add hjemmesidekongen/ai web-security-owaspInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 5:30 PM16.6s2 files scanned
SKILL.md
- name:
- web-security-owasp
- description:
- >
- user_invocable:
- false
- interactive:
- false
- model_tier:
- senior
- depends_on:
- []
- reads:
- []
- writes:
- []
- type:
- data_validation
- - name:
- ssrf_input_validation
- verify:
- User-controlled URLs validated against allowlist before server-side fetch
- fail_action:
- Enforce allowlist of approved domains/IPs; block private IP ranges at network layer
- on_fail:
- Security check failed — do not merge until resolved
- on_pass:
- OWASP web security checks passed
- origin:
- smedjen
- inspired_by:
- original
- ported_date:
- 2026-03-10
- iteration:
- 1
- changes:
- Original skill, no port
web-security-owasp
Security bugs are architecture bugs discovered late. The OWASP Top 10 attacks succeed because input trust assumptions are baked into design — not because developers forgot a sanitization call.
XSS — Three Surfaces
Reflected: payload in request, echoed in response. User must click a crafted URL. Stored: payload persisted to DB, served to every visitor. DOM-based: payload lives in the URL fragment or JS variable, processed entirely client-side — server logs show nothing.
Prevention: output encoding matched to context (HTML entity, JS escape, CSS escape, URL encode). CSP as a second layer — not a replacement. Never trust innerHTML; use textContent or DOM APIs.
CSRF
Forged requests exploit authenticated sessions. Defense: synchronizer token (server-issued, validated per-request) or SameSite=Strict cookies. Double-submit cookie pattern works for stateless APIs. Check Origin/Referer headers as secondary signal.
SQL and NoSQL Injection
Parameterized queries eliminate SQL injection — string concatenation does not. ORM query builders are safe when used correctly; raw query escape hatches are not. NoSQL injection targets MongoDB $where and JSON body operators — validate and type-check inputs before passing to query layer.
SSRF
Server-side fetch of user-supplied URLs enables internal network scanning. Allowlist approved domains. Resolve DNS before connecting and re-validate the resolved IP — DNS rebinding bypasses hostname checks. Block RFC-1918 ranges (10.x, 172.16.x, 192.168.x) and 169.254.0.0/16 (cloud metadata).
Clickjacking
Embed the target in an iframe, render transparent overlay, capture clicks. Defense: X-Frame-Options: DENY or Content-Security-Policy: frame-ancestors 'none'. frame-ancestors is the CSP-native replacement; use both for older browser coverage.
See references/process.md for security header values, cookie flag reference, SRI, HTTPS/HSTS setup, and anti-patterns.
Related Skills
hjemmesidekongen/brand-strategy
development
VerifiedTrustedCommunity
Creates a brand from scratch through market research and interactive sparring. Runs competitive research via Perplexity, then guides the user through positioning, audience, voice, values, and content pillars. Produces the full brand guideline set at .ai/brand/{name}/. Use when building a new brand, defining brand strategy for a product, or when /våbenskjold:create is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-loader
testing
VerifiedTrustedCommunity
Loads brand guidelines from .ai/brand/{name}/ and makes them available to the current context. Progressive disclosure: L1 confirms brand exists, L2 loads summary, L3 loads specific files on demand. Use when a downstream skill or user needs brand context, or when /våbenskjold:apply is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-evolve
documentation
VerifiedTrustedCommunity
Guided reinvention of an existing brand guideline. Loads current brand from .ai/brand/{name}/, identifies what to keep vs change, and walks the user through targeted evolution. Preserves brand equity while updating positioning, voice, or values. Use when refreshing a brand or when /våbenskjold:evolve is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-audit
development
VerifiedTrustedCommunity
Codifies an existing brand from materials, samples, and references. Analyzes provided content to extract voice patterns, values, and positioning. Produces the same guideline format as brand-strategy. Use when a brand already exists but isn't documented, or when /våbenskjold:audit is invoked.
SKILL.mdUpdated Apr 5, 2026