lennetech/general-frontend-security
plugins/lt-dev/skills/general-frontend-security/SKILL.md
Framework-agnostic frontend security guide based on OWASP Secure Coding Practices. Covers XSS prevention, CSRF protection, Content Security Policy (CSP), secure cookie configuration, client-side authentication patterns, input validation, secure storage, and security headers. Activates for security audits, vulnerability reviews, XSS, CSRF, CSP, injection, security headers, or browser security questions in any web application. NOT for backend/NestJS security (use generating-nest-servers). NOT for Nuxt-specific implementation (use developing-lt-frontend).
tools
Updated Apr 21, 2026
$ install --global
skillsauthnpx skillsauth add lennetech/claude-code general-frontend-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 1:07 PM17.4s1 file scanned
SKILL.md
- name:
- general-frontend-security
- description:
- Framework-agnostic frontend security guide based on OWASP Secure Coding Practices. Covers XSS prevention, CSRF protection, Content Security Policy (CSP), secure cookie configuration, client-side authentication patterns, input validation, secure storage, and security headers. Activates for security audits, vulnerability reviews, XSS, CSRF, CSP, injection, security headers, or browser security questions in any web application. NOT for backend/NestJS security (use generating-nest-servers). NOT for Nuxt-specific implementation (use developing-lt-frontend).
- user-invocable:
- false
General Frontend Security
Framework-agnostic security practices for web applications based on OWASP guidelines.
When to Use This Skill
- Reviewing frontend code for security vulnerabilities
- Implementing client-side authentication flows
- Setting up secure cookie handling
- Configuring Content Security Policy
- Auditing third-party dependencies
- General frontend security questions
Skill Boundaries
| User Intent | Correct Skill | |------------|---------------| | "XSS prevention best practices" | THIS SKILL | | "Security audit of frontend" | THIS SKILL | | "Configure CSP headers" | THIS SKILL | | "Build a secure login page in Nuxt" | developing-lt-frontend | | "Fix @Restricted decorator in NestJS" | generating-nest-servers | | "Run npm audit fix" | maintaining-npm-packages |
Related Skills & Commands
| Command | Purpose |
|---------|---------|
| /lt-dev:review | General security review of branch diff (framework-agnostic) |
| /lt-dev:backend:sec-review | Security review of backend code changes (auth, decorators, models) |
| /lt-dev:backend:sec-audit | Full OWASP security audit (dependencies, config, code) |
Framework-Specific References
| Framework | Reference File |
|-----------|---------------|
| Nuxt/Vue | See developing-lt-frontend skill (reference/security.md) |
| Angular | angular-security.md |
Key Principles
- Never trust client-side validation - Server must always verify
- Store tokens securely - Memory for access tokens, httpOnly cookies for refresh tokens
- Prevent XSS - Never use
innerHTMLwith user input; usetextContentor DOMPurify - Protect against CSRF - Use CSRF tokens for state-changing requests +
SameSitecookies - Configure CSP - Restrict script/style sources, use nonces, block framing
- Minimize dependencies - Fewer deps = smaller attack surface; always run
pnpm audit
Complete OWASP reference with code examples: owasp-reference.md
Security Checklist
Development
- [ ] No sensitive data in client-side code
- [ ] Environment variables separated (public vs private)
- [ ] Input validation on all user inputs
- [ ] XSS prevention (no innerHTML with user data)
- [ ] CSRF tokens for state-changing requests
Authentication
- [ ] Tokens stored securely (memory + httpOnly cookies)
- [ ] Token refresh mechanism implemented
- [ ] Proper logout (clear all client state)
- [ ] Session timeout configured
Configuration
- [ ] HTTPS enforced
- [ ] CSP headers configured
- [ ] Security headers set (X-Frame-Options, etc.)
- [ ] Cookies configured with secure flags
- [ ] CORS properly restricted
Dependencies
- [ ] pnpm audit clean (or accepted risks)
- [ ] pnpm-lock.yaml committed
- [ ] SRI for external resources
- [ ] Regular dependency updates
Build & Deploy
- [ ] Debug mode disabled
- [ ] Console logs removed
- [ ] Source maps disabled or restricted
- [ ] Error messages generic (no stack traces)
Related Skills
lennetech/validating-production-readiness
development
VerifiedTrustedCommunity
Single source of truth for the lenne.tech fullstack production-readiness checklist. Defines the eight pillars (configuration & secrets, observability & logging, health & lifecycle, security hardening, data durability, resilience under load, deployment hygiene, runbook & rollback) with concrete file/line evidence requirements per pillar, severity classification (Critical / Major / Minor), and a canonical machine-parseable report block. Activates whenever an agent or command needs to gate a release on production-readiness — currently used by /lt-dev:production-ready, lt-dev:production-readiness-orchestrator, and the devops-reviewer (read-only). NOT for OWASP-style code-level security review (use security-reviewer). NOT for npm dependency audits (use maintaining-npm-packages).
SKILL.mdUpdated May 11, 2026
lennetech/validating-ci-pipelines-locally
development
VerifiedTrustedCommunity
Single source of truth for executing GitLab CI/CD pipelines locally with the same image, env vars, and service containers as the real runner — so pipeline failures are caught before push. Defines pipeline discovery (.gitlab-ci.yml + includes), per-job execution via gitlab-runner exec, service-container orchestration (Mongo, Redis, MailHog), env injection without secrets, cache/artifact handling, and a job-by-job verdict report. Also describes the GitHub Actions equivalent via act for projects that mirror to GitHub. Activates whenever an agent or command needs to validate that the CI pipeline will pass — currently used by /lt-dev:production-ready and lt-dev:production-readiness-orchestrator. NOT for running the local check script (use running-check-script). NOT for writing or refactoring CI configs (use the devops agent).
SKILL.mdUpdated May 11, 2026
lennetech/running-load-tests-with-k6
development
VerifiedTrustedCommunity
Single source of truth for designing, running, and interpreting k6 load tests against lenne.tech fullstack APIs. Defines installation paths (brew, docker, npm), the three canonical scenarios (smoke / load / soak), endpoint discovery from the generated SDK, realistic Better-Auth login flows, threshold defaults for ~10 concurrent users (p95 < 500ms, error rate < 1%, http_req_failed < 1%), result interpretation, and the optimisation ladder when the system fails (DB indices, query rewrites, caching, connection pool sizing, rate-limit relaxation, payload trimming). Activates whenever an agent or command needs to validate that the API is stable for ~10 concurrent users performing many actions in short time, or to detect performance regressions via k6. Currently used by /lt-dev:production-ready, lt-dev:production-readiness-orchestrator, and lt-dev:performance-reviewer. NOT for Lighthouse frontend performance (use a11y-reviewer). NOT for unit performance assertions (use the test runner directly).
SKILL.mdUpdated May 11, 2026
lennetech/modernizing-toolchain
tools
VerifiedTrustedCommunity
Migrates lenne.tech projects from the legacy jest+eslint+prettier toolchain to the current vitest+oxlint+oxfmt baseline used by nest-server-starter and nuxt-base-starter. Covers swc decoratorMetadata config, the @Prop union-type fix for SWC, supertest default-import correction, ESM/CJS interop, the Nitro PORT-vs-NITRO_PORT bug, ANSI escape stripping in workspace runners (lerna/nx), free-port logic for check-server-start.sh, the offers-pattern config.env.ts (NSC__-only + fail-fast + auto-derived appUrl), and the multi-phase check-envs.sh smoke test. Activates whenever someone is migrating an existing project to the new toolchain, debugging "Cannot determine a type for the X field" Mongoose errors, ERR_SOCKET_BAD_PORT crashes from check-server-start, or wants to align an existing project with the current starter conventions.
SKILL.mdUpdated Apr 30, 2026