stevefeldman/security-hardening
skills/security-hardening/SKILL.md
Apply security best practices to reduce attack surface — authentication, input validation, headers, encryption, and dependency updates
$ install --global
skillsauthnpx skillsauth add stevefeldman/agents-skills security-hardeningInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 28, 2026, 8:16 AM172.4s1 file scanned
SKILL.md
- name:
- security-hardening
- description:
- Apply security best practices to reduce attack surface — authentication, input validation, headers, encryption, and dependency updates
Security Hardening
Apply code-level security best practices to reduce attack surface and improve security posture.
Prerequisite: Consider running
/security-auditfirst to identify what needs hardening.
Instructions
-
Security Assessment and Baseline
- Scan the codebase for existing security controls
- Identify potential vulnerabilities: hardcoded secrets, missing validation, insecure defaults
- Review authentication and authorization mechanisms
- Review data handling and storage practices
- Verify: List all identified vulnerabilities with severity ratings before proceeding
-
Authentication and Authorization Hardening
- Implement strong password hashing (bcrypt, argon2) if not already present
- Configure secure session management with proper timeouts and rotation
- Set up role-based access control (RBAC) with least privilege principle
- Implement JWT security best practices: short expiry, proper signing, refresh token rotation
- Add brute force protection: rate limiting on login endpoints, account lockout
- Verify: Test login with invalid credentials to confirm lockout/rate limiting works
-
Input Validation and Sanitization
- Implement comprehensive input validation for all user inputs (type, length, format)
- Use parameterized queries or ORM methods to prevent SQL injection
- Apply output encoding to prevent XSS (context-aware: HTML, JS, URL, CSS)
- Implement CSRF protection with tokens and SameSite cookie attribute
- Add file upload security: type validation, size limits, rename on storage
- Verify: Test each form/endpoint with malicious input samples (e.g.,
<script>alert(1)</script>,' OR 1=1 --)
-
Security Headers Configuration
- Set
Content-Security-Policyheader with restrictive directives - Set
X-Frame-Options: DENY(orSAMEORIGINif framing is needed) - Set
X-Content-Type-Options: nosniff - Set
Referrer-Policy: strict-origin-when-cross-origin - Set
Permissions-Policyto disable unused browser features (camera, microphone, geolocation) - Configure
Strict-Transport-Securitywithmax-age,includeSubDomains - Verify: Check response headers using
curl -Ior browser dev tools to confirm all headers are present
- Set
-
CORS Policy Hardening
- Configure CORS with explicit allowed origins (never use
*in production) - Restrict allowed methods and headers to what is actually needed
- Set
credentials: trueonly when required, with specific origins - Verify: Test cross-origin requests from unauthorized origins to confirm they are blocked
- Configure CORS with explicit allowed origins (never use
-
Secrets and Configuration Security
- Move all hardcoded secrets to environment variables or a secrets manager
- Add secret patterns to
.gitignore(.env,*.pem,*.key) - Rotate any secrets that were previously committed to version control
- Use different secrets for each environment (dev, staging, production)
- Verify: Search codebase with
grep -rfor common secret patterns (API keys, passwords, tokens)
-
Data Protection and Encryption
- Encrypt sensitive data at rest (PII, payment data, credentials)
- Use secure key management: never store encryption keys alongside encrypted data
- Implement proper password hashing with unique salts
- Sanitize sensitive data from logs, error messages, and API responses
- Verify: Review log output and error responses to confirm no sensitive data leaks
-
Dependency and Supply Chain Security
- Audit all dependencies for known vulnerabilities (
npm audit,pip-audit,bundle audit) - Update vulnerable dependencies to patched versions
- Pin dependency versions with lockfiles (
package-lock.json,Pipfile.lock,Gemfile.lock) - Remove unused dependencies to reduce attack surface
- Verify: Run vulnerability scanner after updates to confirm zero known vulnerabilities
- Audit all dependencies for known vulnerabilities (
-
Secure Error Handling
- Configure error handling to never expose stack traces, internal paths, or system details to users
- Return generic error messages to clients; log detailed errors server-side
- Implement proper logging for security events (failed logins, permission denials, input validation failures)
- Add structured logging with correlation IDs for incident investigation
- Verify: Trigger errors in each endpoint and confirm responses contain no internal details
-
Security Testing and Validation
- Add security-focused test cases: injection attempts, auth bypass, privilege escalation
- Integrate SAST tools into the CI/CD pipeline (e.g., Semgrep, Bandit, ESLint security plugins)
- Configure dependency vulnerability scanning in CI (e.g., Dependabot, Snyk)
- Create a security checklist for code reviews
- Verify: Run the full test suite and SAST scan to confirm all checks pass
Related Skills
stevefeldman/dependency-security-audit
development
VerifiedTrustedCommunity
Use when reviewing Dependabot alerts, npm audit findings, govulncheck output, or CVE reports on a JavaScript/Node.js or Go project — especially when triaging multiple alerts across direct and transitive dependencies to assess real-world risk and produce a remediation plan.
3SKILL.mdUpdated May 28, 2026
stevefeldman/pr-evidence
development
VerifiedTrustedCommunity
Use when a code review finding needs proof — write a focused test in JavaScript or Go that either confirms the issue is real or exposes it as over-engineering hyperbole. Trigger after code-review or code-review-skill findings are presented and evidence is requested.
3SKILL.mdUpdated May 22, 2026
stevefeldman/software-estimation
development
VerifiedTrustedCommunity
Produce data-driven software delivery estimates by analyzing historical JIRA tickets, git activity, and engineer track records, then matching the new work against the most similar past tickets. Use this skill whenever the user asks "how long will this take", wants to estimate a piece of work, scope an epic, plan a sprint, or estimate delivery for JIRA stories or a Figma design. Also use whenever the user wants developer-to-work assignment recommendations based on history, wants to optimize an estimate by adding or reallocating engineers, or asks "what's the fastest way to ship this" or "who should work on this". Especially trigger when the user provides JIRA ticket IDs, JIRA story links, or Figma designs together with any indication of a team that will execute the work.
3SKILL.mdUpdated May 16, 2026
stevefeldman/automation-rubric
tools
VerifiedTrustedCommunity
Use when auditing an existing test suite for quality and coverage gaps, evaluating Playwright migration readiness, scoring automation against a world-class e-commerce standard, or guiding the creation of new tests. Applicable to Selenium, WebdriverIO, and Playwright suites.
3SKILL.mdUpdated May 12, 2026