secure-coding
Implementing OWASP Proactive Controls (Input Validation, Output Encoding, AuthZ/AuthN).
Best use case
secure-coding is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implementing OWASP Proactive Controls (Input Validation, Output Encoding, AuthZ/AuthN).
Teams using secure-coding should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/secure-coding/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How secure-coding Compares
| Feature / Agent | secure-coding | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implementing OWASP Proactive Controls (Input Validation, Output Encoding, AuthZ/AuthN).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# secure-coding Skill
This skill guides the implementation of security controls *during* development (Shift Left).
## 1. Input Validation (Defense)
> "Never trust input."
- **Syntactic Validation**: Is it an email? Is it a number? (Use Zod/Pydantic).
- **Semantic Validation**: Is `start_date` before `end_date`? Is `transfer_amount` > 0?
- **Allow-list**: Only accept known bad characters (e.g., `[a-zA-Z0-9]`). Block everything else.
## 2. Output Encoding (Defense)
> "Context matters."
- **HTML Context**: Escape `<` -> `<`. (Prevent XSS).
- **SQL Context**: Use Parameterized Queries. (Prevent SQLi).
- **JSON Context**: Ensure valid JSON structure.
## 3. Authentication & Authorization
- **NIST Guidelines**:
- Passwords: Min 12 chars, no complexity rules, check against pwned passwords.
- MFA: Required for admin/privileged actions.
- Sessions: Absolute timeout (e.g., 12 hours) + Idle timeout (e.g., 30 mins).
- **Authorization**:
- **Broken**: `if (user.isAdmin)` (Client-side check).
- **Fixed**: `if (ctx.user.hasPermission('delete:user'))` (Server-side check).
## 4. Cryptography
- **At Rest**: Use AES-256-GCM (Authenticated Encryption).
- **In Transit**: TLS 1.3 only.
- **Hashing**: Argon2id or bcrypt (work factor > 12).
- **Secrets**: Never hardcode. Use `process.env`.Related Skills
vibe-coding-guardian
Behavioral modifier for AI coding assistants working with non-developers. Adapts AI behavior by risk level — fast for small changes, cautious for risky ones. Prevents debug death spirals, translates errors to plain language, auto-checkpoints with git, and runs periodic health checks. Always active, zero manual trigger needed.
secure-development-lifecycle
Comprehensive SDLC security covering planning, development, testing, deployment, and maintenance with classification-driven controls and AI governance
secure-code-guardian
Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention. Keywords: security, authentication, authorization, OWASP, encryption, vulnerability.
acc-psr-coding-style-knowledge
PSR-1 and PSR-12 coding standards knowledge base for PHP 8.5 projects. Provides quick reference for basic coding standard and extended coding style with detection patterns, examples, and antipattern identification. Use for code style audits and compliance reviews.
write-coding-standards-from-file
Write a coding standards document for a project using the coding styles from the file(s) and/or folder(s) passed as arguments in the prompt.
vibe-coding
Rapidly prototype and build modern, responsive web applications from scratch using current frameworks and libraries. Use when you want to quickly create a new web app with full local control, creative flow, and modern best practices. Local alternative to Lovable, Bolt, and v0.
secure-storage-patterns
expo-secure-store patterns for sensitive data. Use when storing tokens and credentials.
jm-balanced-coding-patterns
jm-balanced-coding-patterns is a set of design patterns and best practices curated by JM to enhance software development efficiency and maintainability, while ensuring code quality and scalability.
frontend-coding
Next.js App Routerベースのフロントエンド実装スキル。UIコンポーネント、ページ、レイアウト、フォーム、React Queryフック、i18n対応の実装時に使用。backend/配下は除外。Radix UI + Tailwind CSS v4 + TypeScript + next-intl + React Query v5 + Better-Auth のパターンに従う。
dev-coding
Implement features as a Principal Engineering Developer
coding-style
Coding style, testing, and PR guidelines for the Kubb ecosystem. Use when writing or reviewing code for the Kubb ecosystem.
coding-standards
Provides coding standards for React Native — performance patterns, consistency rules, and clean React architecture. Use when writing, modifying, or reviewing code.