igorwarzocha/security-django
agents/security-reviewer/.opencode/skill/security-django/SKILL.md
Review Django security audit patterns for settings and middleware. Use for auditing SECRET_KEY, DEBUG, CSRF, and auth decorators. Use proactively when reviewing Django apps (settings.py or manage.py present). Examples: - user: "Audit my Django settings.py" → check SECRET_KEY, DEBUG, and ALLOWED_HOSTS - user: "Check Django views for auth" → verify @login_required and permission classes - user: "Review Django CSRF config" → check middleware and @csrf_exempt usage - user: "Scan for SQL injection in Django" → find raw SQL usage instead of ORM - user: "Audit Django REST framework config" → check default permissions and auth
$ install --global
skillsauthnpx skillsauth add igorwarzocha/opencode-workflows security-djangoInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:06 PM6.9s2 files scanned
SKILL.md
- name:
- security-django
- description:
- |-
- - user:
- Audit Django REST framework config" → check default permissions and auth
<overview>
Security audit patterns for Django applications covering critical settings, security middleware, CSRF protection, and common vulnerabilities.
</overview> <rules>Critical Settings (settings.py)
SECRET_KEY
# ❌ CRITICAL: Hardcoded or committed
SECRET_KEY = 'django-insecure-abc123...'
SECRET_KEY = 'my-super-secret-key'
# ✓ From environment
import os
SECRET_KEY = os.environ['DJANGO_SECRET_KEY']
# ✓ Or use django-environ
import environ
env = environ.Env()
SECRET_KEY = env('SECRET_KEY')
Check: Is SECRET_KEY in .env and .env is in .gitignore?
DEBUG
# ❌ CRITICAL: Debug in production
DEBUG = True # Exposes full stack traces, settings, SQL queries
# ✓ Environment-controlled
DEBUG = os.environ.get('DEBUG', 'False').lower() == 'true'
ALLOWED_HOSTS
# ❌ CRITICAL: Accept any host
ALLOWED_HOSTS = ['*']
# ❌ HIGH: Empty in production (500 errors, but still bad)
ALLOWED_HOSTS = []
# ✓ Explicit hosts
ALLOWED_HOSTS = ['example.com', 'www.example.com']
Security Middleware
Required Middleware
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware', # MUST be first!
# ...
'django.middleware.csrf.CsrfViewMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
Check: Is SecurityMiddleware present and near the top?
Security Middleware Settings
# ✓ Enable these in production
SECURE_BROWSER_XSS_FILTER = True # Deprecated but harmless
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_HSTS_SECONDS = 31536000 # 1 year
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_SSL_REDIRECT = True # Force HTTPS
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
CSRF Protection
Disabled CSRF (Critical)
# ❌ CRITICAL: Globally disabled
MIDDLEWARE = [
# 'django.middleware.csrf.CsrfViewMiddleware', # Commented out!
]
# ❌ HIGH: Decorator abuse
@csrf_exempt
def payment_webhook(request): # MAY be OK for webhooks with other auth
...
@csrf_exempt
def update_profile(request): # MUST NOT do this!
...
Audit: Search for @csrf_exempt - each needs justification.
CSRF Trusted Origins (Django 4.0+)
# ❌ Too permissive
CSRF_TRUSTED_ORIGINS = ['https://*']
# ✓ Explicit
CSRF_TRUSTED_ORIGINS = ['https://example.com', 'https://admin.example.com']
Common Vulnerabilities
SQL Injection
# ❌ Raw SQL with string formatting
User.objects.raw(f"SELECT * FROM users WHERE id = {user_id}")
cursor.execute(f"DELETE FROM logs WHERE date < '{date}'")
# ✓ Parameterized
User.objects.raw("SELECT * FROM users WHERE id = %s", [user_id])
cursor.execute("DELETE FROM logs WHERE date < %s", [date])
# ✓ ORM (safe by default)
User.objects.filter(id=user_id)
Command Injection
# ❌ User input in subprocess
import subprocess
subprocess.run(f"convert {user_filename} output.png", shell=True)
os.system(f"process {user_input}")
# ✓ Use arrays, avoid shell=True
subprocess.run(["convert", user_filename, "output.png"])
Path Traversal
# ❌ User-controlled path
def download(request, filename):
return FileResponse(open(f'uploads/{filename}', 'rb'))
# ✓ Validate path
import os
def download(request, filename):
safe_name = os.path.basename(filename)
filepath = os.path.join(settings.UPLOAD_DIR, safe_name)
if not filepath.startswith(settings.UPLOAD_DIR):
raise Http404()
return FileResponse(open(filepath, 'rb'))
IDOR (Insecure Direct Object Reference)
# ❌ No ownership check
class DocumentView(View):
def get(self, request, doc_id):
doc = Document.objects.get(id=doc_id)
return JsonResponse(doc.to_dict())
# ✓ Check ownership
class DocumentView(LoginRequiredMixin, View):
def get(self, request, doc_id):
doc = Document.objects.get(id=doc_id, owner=request.user)
return JsonResponse(doc.to_dict())
Auth Decorators Missing
# ❌ No auth required
def admin_dashboard(request):
return render(request, 'admin/dashboard.html', {'users': User.objects.all()})
# ✓ Auth required
@login_required
@user_passes_test(lambda u: u.is_staff)
def admin_dashboard(request):
...
Django REST Framework
# Check DRF settings
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
# ❌ SessionAuth without CSRF = vulnerable
'rest_framework.authentication.SessionAuthentication',
],
'DEFAULT_PERMISSION_CLASSES': [
# ❌ Allow any by default
'rest_framework.permissions.AllowAny',
# ✓ Require auth by default
'rest_framework.permissions.IsAuthenticated',
],
}
Quick Audit Commands
# Check critical settings
rg "(SECRET_KEY|DEBUG|ALLOWED_HOSTS)" settings*.py
# Find csrf_exempt usage
rg "@csrf_exempt" . -g "*.py"
# Django deployment checklist (high signal)
python manage.py check --deploy
# Find raw SQL
rg "\.raw\(|cursor\.execute\(" . -g "*.py" -A 1
# Find subprocess/os.system
rg "(subprocess\.|os\.system|os\.popen)" . -g "*.py"
# Check for missing login_required
rg "^def " views.py | head -20 # Then check which have decorators
# Find shell=True
rg "shell\s*=\s*True" . -g "*.py"
Hardening Checklist
- [ ] SECRET_KEY from environment, not hardcoded
- [ ] DEBUG = False in production
- [ ] ALLOWED_HOSTS explicitly set (no wildcards)
- [ ] SecurityMiddleware enabled and configured
- [ ] CSRF middleware enabled
- [ ] SECURE_SSL_REDIRECT = True
- [ ] SESSION_COOKIE_SECURE = True
- [ ] CSRF_COOKIE_SECURE = True
- [ ] No @csrf_exempt without justification
- [ ] All views have appropriate auth decorators
- [ ] No raw SQL with string formatting
- [ ] DRF has IsAuthenticated as default permission
Related Skills
igorwarzocha/writing
development
VerifiedTrustedCommunity
Handle structured co-authoring of professional documentation. Use for proposals, technical specs, and RFCs. Use proactively when a collaborative drafting process (Gathering -> Refinement -> Testing) is needed. Examples: - user: "Draft a technical RFC for the new API" -> follow Stage 1 context gathering - user: "Refine the introduction of this proposal" -> use iterative surgical edits - user: "Test if this document is clear for readers" -> run reader testing workflow
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/word
development
VerifiedTrustedCommunity
Handle Word document (.docx) creation, editing, and analysis with high-fidelity visual review. Use for professional reports, legal documents, and tracked changes. Use proactively when quality and precise formatting are critical. Examples: - user: "Create a professional report in Word" -> use python-docx with render loops - user: "Draft a legal contract with redlines" -> use ooxml redlining workflow - user: "Extract text from this DOCX while preserving structure" -> use pandoc markdown conversion
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/themes
testing
VerifiedTrustedCommunity
Apply professional visual themes to documents and presentations. Use for styling artifacts with consistent color palettes and font pairings. Use proactively to quickly improve the aesthetic quality of deliverables. Examples: - user: "Apply a modern theme to this deck" -> use Modern Minimalist theme - user: "I want a tech aesthetic for this doc" -> apply Tech Innovation theme - user: "Create a custom theme for my project" -> generate new color/font specification
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/skill-creator
tools
VerifiedTrustedCommunity
Guide for creating effective opencode skills. Use for creating or updating skills that extend agent capabilities with specialized knowledge, workflows, or tool integrations. Examples: - user: "Create a skill for git workflows" → define SKILL.md with instructions and examples - user: "Add examples to my skill" → follow the user: "query" → action pattern - user: "Update skill description" → use literal block scalar and trigger contexts - user: "Structure a complex skill" → organize with scripts/ and references/ directories - user: "Validate my skill" → check structure, frontmatter, and discovery triggers
100SKILL.mdUpdated Apr 5, 2026