hoangnguyen0403/react-security
skills/react/react-security/SKILL.md
Prevent XSS, secure auth flows, and harden React client-side applications. Use when preventing XSS, securing auth flows, or auditing third-party dependencies in React.
$ install --global
skillsauthnpx skillsauth add hoangnguyen0403/agent-skills-standard react-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 21, 2026, 2:42 AM181.1s3 files scanned
SKILL.md
- name:
- react-security
- description:
- Prevent XSS, secure auth flows, and harden React client-side applications. Use when preventing XSS, securing auth flows, or auditing third-party dependencies in React.
React Security
Priority: P0 (CRITICAL)
Prevent XSS Attacks
- Never use
dangerouslySetInnerHTMLwithout sanitization. UseDOMPurify.sanitize(input)for all user-provided HTML. - Avoid
javascript:protocols inhreforsrc.
See implementation examples for DOMPurify sanitization and secure cookie configuration.
Secure Authentication
- Store JWT/Sessions in
HttpOnlyandSecurecookies to prevent theft via XSS. Never store secrets inlocalStorageor in built JS bundle. - Data Flow: Escape all serialized state if injecting into HTML (e.g., in SSR). Use Content Security Policy (CSP) to restrict script sources and prevent inline execution.
Harden Application Boundaries
- CSRF Protection: Use CSRF tokens for state-changing requests (PUT/POST/DELETE). Implement SameSite=Strict cookies where applicable.
- Input Sanitization: Always validate and sanitize user inputs on backend. Frontend validation for UX only.
- Dependency Management: Run
npm audit/pnpm auditregularly. Pin specific dependency versions and usenpm-check-updates. - Security Headers: Ensure server sends
X-Frame-Options: DENY,X-Content-Type-Options: nosniff, andPermissions-Policy.
Anti-Patterns
- No
eval(): RCE risk. - No Serialized State: Don't inject JSON into DOM without escaping.
- No Client Logic for Permissions: Backend must validate.
References
See references/REFERENCE.md for DOMPurify usage, CSP headers, OAuth2/JWT auth patterns, and CSRF protection.
Related Skills
hoangnguyen0403/specialist-pr-reviewer
development
VerifiedTrustedCommunity
Summarizes GitHub PR, GitLab MR, or Azure DevOps PR metadata, review threads, changed files, and template completeness. Use during review-ticket or code-review workflows when PR/MR context exists.
498SKILL.mdUpdated May 23, 2026
hoangnguyen0403/typescript-tooling
tools
VerifiedTrustedCommunity
Development tools, linting, and build config for TypeScript. Use when configuring ESLint, Prettier, Jest, Vitest, tsconfig, or any TS build tooling.
498SKILL.mdUpdated May 21, 2026
hoangnguyen0403/typescript-security
development
VerifiedTrustedCommunity
Validate input, secure auth tokens, and prevent injection attacks in TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration.
498SKILL.mdUpdated May 21, 2026
hoangnguyen0403/typescript-language
development
VerifiedTrustedCommunity
Apply modern TypeScript standards for type safety and maintainability. Use when working with types, interfaces, generics, enums, unions, or tsconfig settings.
498SKILL.mdUpdated May 21, 2026