Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

hoangnguyen0403/nestjs-security

Name: nestjs-security
Author: hoangnguyen0403

skills/nestjs/nestjs-security/SKILL.md

npx skillsauth add hoangnguyen0403/agent-skills-standard nestjs-security

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

NestJS Security Standards

Priority: P0 (CRITICAL)

Workflow: Secure NestJS Application

Add Helmet — app.use(helmet()) in main.ts for HSTS, CSP headers.
Configure JWT strategy — Use passport-jwt with RS256; validate iss and aud claims.
Bind global AuthGuard — Register as APP_GUARD; use @Public() for open routes.
Add throttling — Enable @nestjs/throttler with Redis store for rate limiting.
Hash with Argon2id — Replace bcrypt with argon2.hash(password, { type: argon2.argon2id }).
Verify — Run npm audit --prod and test that unauthenticated requests return 401.

Global Auth Guard Example

See implementation examples

Argon2id Hashing Example

See implementation examples

Authentication (JWT)

Strategy: Use @nestjs/passport with passport-jwt.
Algorithm: Enforce RS256 (preferred) or HS256. Reject none.
Claims: Validate iss and aud.
Tokens: Short access (15m), Long httponly refresh (7d).
MFA: Require 2FA for admin panels.

Authorization (RBAC)

Deny by default: Bind AuthGuard globally (APP_GUARD).
Bypass: Create @Public() decorator for open routes.
Roles: Use Reflector.getAllAndOverride for Method/Class merge.

Cryptography

Hashing: Use Argon2id, not Bcrypt. See implementation.
Encryption: Use AES-256-GCM with KMS rotation. See implementation.

Hardening

Helmet: Mandatory. Enable HSTS, CSP.
CORS: Explicit origins only. No *.
Throttling: Use Redis-backed @nestjs/throttler in production.
CSRF: Required for cookie-based auth. See implementation.

Data Protection

Sanitization: Use ClassSerializerInterceptor + @Exclude().
Validation: ValidationPipe({ whitelist: true }) to prevent mass assignment.
Audit: Log mutations (Who, What, When). See implementation.

Secrets Management

CI/CD: Run npm audit --prod in pipelines.
Runtime: Inject via vault (AWS Secrets Manager / HashiCorp Vault), not .env.

Anti-Patterns

No Shadow APIs: Audit routes regularly; disable /docs in production.
No SSRF: Allowlist domains for all outgoing HTTP requests.
No SQLi: Use ORM; avoid raw query() with string concatenation.
No XSS: Sanitize HTML input with dompurify.

References

Implementation Examples
common/security-standards

hoangnguyen0403/nestjs-security

skills/nestjs/nestjs-security/SKILL.md

Implement JWT authentication, RBAC guards, Helmet hardening, and Argon2 hashing in NestJS. Use when adding auth strategies, role-based access control, CSRF protection, or security headers.

495 stars

development

Updated May 19, 2026

$ install --global

skillsauth

npx skillsauth add hoangnguyen0403/agent-skills-standard nestjs-security

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 19, 2026, 3:38 AM179.5s3 files scanned

SKILL.md

name:: nestjs-security
description:: Implement JWT authentication, RBAC guards, Helmet hardening, and Argon2 hashing in NestJS. Use when adding auth strategies, role-based access control, CSRF protection, or security headers.

NestJS Security Standards

Priority: P0 (CRITICAL)

Workflow: Secure NestJS Application

Add Helmet — app.use(helmet()) in main.ts for HSTS, CSP headers.
Configure JWT strategy — Use passport-jwt with RS256; validate iss and aud claims.
Bind global AuthGuard — Register as APP_GUARD; use @Public() for open routes.
Add throttling — Enable @nestjs/throttler with Redis store for rate limiting.
Hash with Argon2id — Replace bcrypt with argon2.hash(password, { type: argon2.argon2id }).
Verify — Run npm audit --prod and test that unauthenticated requests return 401.

Global Auth Guard Example

See implementation examples

Argon2id Hashing Example

See implementation examples

Authentication (JWT)

Strategy: Use @nestjs/passport with passport-jwt.
Algorithm: Enforce RS256 (preferred) or HS256. Reject none.
Claims: Validate iss and aud.
Tokens: Short access (15m), Long httponly refresh (7d).
MFA: Require 2FA for admin panels.

Authorization (RBAC)

Deny by default: Bind AuthGuard globally (APP_GUARD).
Bypass: Create @Public() decorator for open routes.
Roles: Use Reflector.getAllAndOverride for Method/Class merge.

Cryptography

Hashing: Use Argon2id, not Bcrypt. See implementation.
Encryption: Use AES-256-GCM with KMS rotation. See implementation.

Hardening

Helmet: Mandatory. Enable HSTS, CSP.
CORS: Explicit origins only. No *.
Throttling: Use Redis-backed @nestjs/throttler in production.
CSRF: Required for cookie-based auth. See implementation.

Data Protection

Sanitization: Use ClassSerializerInterceptor + @Exclude().
Validation: ValidationPipe({ whitelist: true }) to prevent mass assignment.
Audit: Log mutations (Who, What, When). See implementation.

Secrets Management

CI/CD: Run npm audit --prod in pipelines.
Runtime: Inject via vault (AWS Secrets Manager / HashiCorp Vault), not .env.

Anti-Patterns

No Shadow APIs: Audit routes regularly; disable /docs in production.
No SSRF: Allowlist domains for all outgoing HTTP requests.
No SQLi: Use ORM; avoid raw query() with string concatenation.
No XSS: Sanitize HTML input with dompurify.

References

Implementation Examples
common/security-standards

Related Skills

hoangnguyen0403/specialist-pr-reviewer

development

VerifiedTrustedCommunity

Summarizes GitHub PR, GitLab MR, or Azure DevOps PR metadata, review threads, changed files, and template completeness. Use during review-ticket or code-review workflows when PR/MR context exists.

498SKILL.mdUpdated May 23, 2026

hoangnguyen0403/specialist-pr-reviewer

hoangnguyen0403/typescript-tooling

tools

VerifiedTrustedCommunity

Development tools, linting, and build config for TypeScript. Use when configuring ESLint, Prettier, Jest, Vitest, tsconfig, or any TS build tooling.

498SKILL.mdUpdated May 21, 2026

hoangnguyen0403/typescript-tooling

hoangnguyen0403/typescript-security

development

VerifiedTrustedCommunity

Validate input, secure auth tokens, and prevent injection attacks in TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration.

498SKILL.mdUpdated May 21, 2026

hoangnguyen0403/typescript-security

hoangnguyen0403/typescript-language

development

VerifiedTrustedCommunity

Apply modern TypeScript standards for type safety and maintainability. Use when working with types, interfaces, generics, enums, unions, or tsconfig settings.

498SKILL.mdUpdated May 21, 2026

hoangnguyen0403/typescript-language

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/hoangnguyen0403/agent-skills-standard.git

# Copy into Claude Code skills folder (global)
cp -r agent-skills-standard/skills/nestjs/nestjs-security ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

hoangnguyen0403/agent-skills-standard

495 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT