michaelalber/react-security-review
skills/team/react-security-review/SKILL.md
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
tools
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit react-security-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:51 AM284.2s3 files scanned
SKILL.md
- name:
- react-security-review
- audience:
- team
- description:
- >
React Security Review
"Security is not a product, but a process." — Bruce Schneier
Core Security Values
Shared across the dotnet / python / php / rust / react security reviews — same values, language-specific threats.
Grounding note: the knowledge base has no React corpus. Use
collection="internal"for OWASP,collection="javascript"for JS/TS specifics, andcollection="ui_ux"for safe-by-default UI; cite react.dev and the OWASP cheat sheets as the React authority. Never invent areactcollection.
| # | Value | What it means |
|---|-------|---------------|
| 1 | Validate at boundaries | Every external input (URL params, postMessage, API responses) validated/typed before use; never trust client-controlled data — even your own API's response shapes. |
| 2 | No raw HTML from untrusted data | Output is escaped by default (JSX does this); the raw-HTML escape hatch is sanitized or never fed user data. |
| 3 | Secrets out of the bundle | No API keys/tokens in client code; only intentionally-public VITE_/NEXT_PUBLIC_ values shipped; everything else stays server-side. |
| 4 | Authn/authz is server-enforced | The client never decides authorization — it only reflects it. Route guards are UX, not security; the API enforces. |
| 5 | Least privilege & safe defaults | Minimal scopes; safe link/target defaults; fail closed on missing data. |
| 6 | Protect data in transit & at rest | TLS only; tokens in memory or httpOnly cookies, not localStorage; no PII/tokens in logs or analytics. |
| 7 | Dependencies pinned & audited | Lockfile committed; npm audit / Snyk in CI; transitive CVEs reviewed (the npm tree is deep). |
| 8 | Evidence-based, graded findings | Every finding cites file:line + OWASP category + severity; report is graded and manager-readable. |
Workflow
Shared skeleton: DETECT → SCAN → EXECUTIVE SUMMARY → GRADED FINDINGS.
DETECT Framework (Vite/CRA/Next + React version), entry points (routes, forms, `postMessage`/
`iframe`, external script tags), and the APIs / storage the app talks to.
SCAN Walk the React Threat Checklist below, one OWASP category at a time. Gather evidence:
npm audit --omit=dev # known CVEs in the dependency tree
npx eslint . --plugin security # eslint-plugin-security + jsx-a11y
grep -rn "dangerously" src/ # raw-HTML escape hatch usage
grep -rn "localStorage\|sessionStorage" src/ # token storage
grep -rn "VITE_\|NEXT_PUBLIC_\|process.env" src/ # secrets exposed to the bundle
Every issue becomes a finding with file:line, OWASP category, and severity.
EXEC SUMMARY Manager-friendly: risk grade, count by severity, top 3 risks in plain language.
FINDINGS Technical table: severity · location · OWASP · finding · remediation.
React Threat Checklist (language-specific)
| OWASP (2025) | React / front-end check | Severity signal |
|---|---|---|
| A01 Broken Access Control | Authorization enforced by the API, not just hidden routes/buttons; no sensitive data fetched then client-side filtered; no IDOR via predictable IDs in client calls | Critical |
| A02 Cryptographic Failures | Tokens not in localStorage (XSS-readable) — prefer httpOnly cookies or memory; no home-rolled crypto in the client; HTTPS-only links | High |
| A03 Injection (XSS) | JSX auto-escaping intact; the raw-HTML escape hatch (dangerously…InnerHTML) only on sanitized HTML (DOMPurify); no href={userUrl}/src= allowing javascript:; no dynamic code evaluation (eval, the Function constructor, injected <script>) on input | Critical |
| A04 Insecure Design | target="_blank" paired with rel="noopener noreferrer"; postMessage handlers check event.origin; no trust of window.name/referrer | High |
| A05 Misconfiguration | Content-Security-Policy present; source maps not shipped to prod (or access-controlled); no * CORS reliance; React dev build not served in prod | High |
| A06 Vulnerable Components | npm audit clean; lockfile committed; no abandoned/unmaintained UI deps; no latest ranges | High |
| A07 Auth/Session Failures | Login flows rate-limited server-side; tokens cleared on logout; no long-lived tokens in storage; refresh handled securely | High |
| A08 Integrity Failures | Third-party <script>/CDN tags use SRI (integrity); no untrusted dynamic import of attacker-controlled URLs | High |
| A09 Logging Failures | No tokens/PII sent to client analytics/error trackers (scrub before Sentry/GA); no secrets in console.log | Medium |
| A10 SSRF / Open Redirect | Redirect targets from query params allow-listed (no location.href = params.get('next')); image/iframe src from user input validated | High |
Full per-category checklist: owasp react checklist.
State Block
<security-review-state>
language: react
mode: DETECT | SCAN | EXEC-SUMMARY | FINDINGS | COMPLETE
detected: [framework+version | entry points | apis/storage]
owasp_covered: [A01..A10 progress]
findings: [critical:N high:N medium:N low:N]
last_action: [what was just done]
next_action: [what should happen next]
</security-review-state>
Output Template
Shared across all security reviews. Executive summary template: executive summary.
## Security Review: [project] (React)
**Framework**: [Vite/CRA/Next + React x] | **Scope**: [paths] | **Risk grade**: [A–F]
### Executive Summary (manager-friendly)
[2–3 sentences: overall posture, the most serious risk in plain language, recommended next step.]
Findings: Critical [N] · High [N] · Medium [N] · Low [N]
### Technical Findings
| Severity | Location | OWASP | Finding | Remediation |
|----------|----------|-------|---------|-------------|
| CRITICAL | file:line | A03 | [pattern] | [fix] |
**Top 3 priorities**: 1. … 2. … 3. …
Risk grade: A no critical/high · B no critical, ≤2 high · C no critical, multiple high · D 1+ critical · F systemic (unsanitized raw HTML + secrets in bundle + client-only authz).
AI Discipline Rules
- Evidence or it is not a finding. Run the tools; cite
file:lineand the OWASP category. No speculative findings. - Detect the framework first. React escapes JSX by default and Next.js adds headers/CSP options — confirm the safe defaults are used, not bypassed, before flagging.
- Client guards are UX, not security. A hidden admin route is never a control; the finding is the missing server-side check, not the visible button.
- Severity reflects exploitability + impact, not how unusual the pattern looks. XSS that reads a
localStoragetoken is Critical; a missingrel="noopener"is Low/Medium. - Architecture, not here. Structural/maintainability issues belong to
react-architecture-checklist— note and route. - Federal/gov context → escalate. If NIST/FIPS/CUI/DOE applies, run
security-review-federalafter this base review.
Integration with Other Skills
security-review-federal— Federal/gov overlay (NIST 800-53, FIPS, CUI, POA&M) applied on top of this base review.react-architecture-checklist— Companion for structure/maintainability; run first for context.supply-chain-audit— Deeper dependency/CVE and license analysis beyondnpm audit(the npm tree is the largest attack surface here).dotnet/python/php/rust-security-review — Sibling skills sharing this exact Core Values + workflow + output.
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-component-scaffolder
development
VerifiedTrustedCommunity
Scaffolds a single React / TypeScript component or route with a typed props interface, a co-located React Testing Library test, an accessibility baseline, and an optional Storybook story. React analog of fastapi-scaffolder — the component/route is the front-end "unit". Use when creating a new React component, adding a route/page, generating a typed presentational or container component, or standing up a component with its test and story. Triggers on phrases like "scaffold react component", "create react component", "new react component", "add react route", "react page component", "react component with test", "react storybook component".
SKILL.mdUpdated Jun 4, 2026