security-patterns

Zero-trust security patterns for frontend and backend

16 stars

bydiegosouzapw

View on GitHub Installation ↓

Best use case

security-patterns is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Zero-trust security patterns for frontend and backend

Teams using security-patterns should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-patterns/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/development/security-patterns/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/security-patterns/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How security-patterns Compares

Feature / Agent	security-patterns	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Zero-trust security patterns for frontend and backend

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Security Patterns Skill

Enforce zero-trust security across frontend and backend.

## When to Use

Automatically activate when:
- Implementing authentication/authorization
- Handling tokens or sessions
- Writing API endpoints
- Storing sensitive data

---

## Zero Trust Principles

> **Never Trust, Always Verify, Least Privilege**

1. Every request is authenticated
2. Every action is authorized
3. Minimal permissions granted
4. All data encrypted at rest and in transit
5. Complete audit trail

---

## Frontend Security (Angular)

### Token Storage — Memory ONLY

```typescript
// ✅ CORRECT - Store in memory
@Injectable({ providedIn: 'root' })
export class AuthService {
  private accessToken = signal<string | null>(null);
  private refreshToken = signal<string | null>(null);

  setTokens(access: string, refresh: string) {
    this.accessToken.set(access);
    this.refreshToken.set(refresh);
  }

  clearTokens() {
    this.accessToken.set(null);
    this.refreshToken.set(null);
  }
}

// ❌ WRONG - Never use localStorage
localStorage.setItem('token', token);  // FORBIDDEN
sessionStorage.setItem('token', token);  // FORBIDDEN
```

### XSS Prevention

```typescript
// ✅ Use Angular's built-in sanitization
import { DomSanitizer } from '@angular/platform-browser';

@Component({...})
class SafeComponent {
  private sanitizer = inject(DomSanitizer);

  // Only when absolutely necessary
  trustedHtml = this.sanitizer.bypassSecurityTrustHtml(userContent);
}

// ❌ WRONG - Never bypass without sanitization
[innerHTML]="userContent"  // DANGEROUS
```

### Auto-Logout on Inactivity

```typescript
@Injectable({ providedIn: 'root' })
export class InactivityService {
  private readonly TIMEOUT_MS = 15 * 60 * 1000; // 15 minutes
  private timeoutId?: number;

  resetTimer() {
    clearTimeout(this.timeoutId);
    this.timeoutId = window.setTimeout(() => this.logout(), this.TIMEOUT_MS);
  }

  private logout() {
    this.authService.clearTokens();
    this.router.navigate(['/login']);
  }
}
```

### Clear PII on Logout

```typescript
logout() {
  // Clear all sensitive data
  this.accessToken.set(null);
  this.refreshToken.set(null);
  this.userProfile.set(null);
  
  // Clear IndexedDB
  await this.indexedDb.clear();
  
  // Clear service worker cache
  if ('serviceWorker' in navigator) {
    const caches = await window.caches.keys();
    await Promise.all(caches.map(c => window.caches.delete(c)));
  }
}
```

---

## Backend Security (Spring Boot)

### Method-Level Authorization

```java
@RestController
@RequestMapping("/api/v1/learners")
@RequiredArgsConstructor
public class LearnerController {

    @GetMapping
    @PreAuthorize("hasAnyRole('TEACHER', 'ADMIN')")
    public List<LearnerResponse> listLearners() { ... }

    @PostMapping
    @PreAuthorize("hasRole('ADMIN')")
    public LearnerResponse createLearner(@Valid @RequestBody request) { ... }

    @DeleteMapping("/{id}")
    @PreAuthorize("hasRole('SUPER_ADMIN')")
    public void deleteLearner(@PathVariable UUID id) { ... }
}
```

### PII Masking in Responses

```java
public record LearnerResponse(
    UUID id,
    @JsonSerialize(using = MaskedStringSerializer.class)
    String lrn,          // Returns: "****8901"
    String firstName,
    @JsonSerialize(using = MaskedStringSerializer.class)
    String birthDate     // Returns: "****-**-15"
) {}
```

### Audit Logging

```java
@Aspect
@Component
public class AuditAspect {

    @Around("@annotation(Auditable)")
    public Object audit(ProceedingJoinPoint pjp) throws Throwable {
        AuditLog log = AuditLog.builder()
            .userId(SecurityContextHolder.getContext().getUserId())
            .tenantId(TenantContext.getTenantId())
            .action(pjp.getSignature().getName())
            .timestamp(Instant.now())
            .build();

        try {
            Object result = pjp.proceed();
            log.setStatus("SUCCESS");
            return result;
        } catch (Exception e) {
            log.setStatus("FAILURE");
            log.setError(e.getMessage());
            throw e;
        } finally {
            auditRepository.save(log);
        }
    }
}
```

### Input Validation

```java
public record CreateLearnerRequest(
    @NotBlank
    @Size(max = 100)
    @Pattern(regexp = "^[a-zA-Z\\s]+$", message = "Only letters allowed")
    String firstName,

    @NotNull
    @Pattern(regexp = "\\d{12}", message = "LRN must be 12 digits")
    String lrn,

    @NotNull
    @Past(message = "Birth date must be in the past")
    LocalDate birthDate
) {}
```

---

## API Security

### OAuth2 + PKCE Flow

```
1. Client generates code_verifier (random string)
2. Client creates code_challenge = SHA256(code_verifier)
3. Client redirects to /authorize?code_challenge=...
4. User authenticates
5. Server returns authorization_code
6. Client exchanges code + code_verifier for tokens
7. Server validates SHA256(code_verifier) == code_challenge
```

### Rate Limiting

```java
@Configuration
public class RateLimitConfig {

    @Bean
    public RateLimiter rateLimiter() {
        return RateLimiter.of("api", RateLimiterConfig.custom()
            .limitForPeriod(100)           // 100 requests
            .limitRefreshPeriod(Duration.ofMinutes(1))
            .timeoutDuration(Duration.ofMillis(500))
            .build());
    }
}
```

---

## Data Encryption

### At Rest (Database)

```sql
-- Encrypt sensitive columns
CREATE TABLE learners (
    id UUID PRIMARY KEY,
    lrn TEXT,  -- Stored encrypted
    first_name TEXT,
    birth_date DATE
);

-- Use pgcrypto for column encryption
INSERT INTO learners (id, lrn, first_name, birth_date)
VALUES (
    gen_random_uuid(),
    pgp_sym_encrypt('123456789012', 'encryption-key'),
    'Juan',
    '2010-01-15'
);
```

### In Transit

- TLS 1.3 for all connections
- mTLS between services
- Certificate pinning in mobile apps

---

## Security Headers (CSP)

```java
@Configuration
public class SecurityHeadersConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) {
        return http
            .headers(headers -> headers
                .contentSecurityPolicy(csp -> csp
                    .policyDirectives("default-src 'self'; script-src 'self'"))
                .frameOptions(frame -> frame.deny())
                .xssProtection(xss -> xss.enable()))
            .build();
    }
}
```

---

## Checklist

### Frontend
- [ ] Tokens stored in memory only
- [ ] XSS prevention (Angular sanitization + CSP)
- [ ] 15-minute inactivity auto-logout
- [ ] Clear all PII on logout
- [ ] Certificate pinning (mobile)

### Backend
- [ ] `@PreAuthorize` on all controller methods
- [ ] PII masking in responses
- [ ] Audit logging for all data access
- [ ] Input validation with Bean Validation
- [ ] Rate limiting per tenant

### Infrastructure
- [ ] TLS 1.3 everywhere
- [ ] HSM for key management
- [ ] WAF + DDoS protection
- [ ] SIEM/SOAR integration

Related Skills

security-scanning-threat-mitigation-mapping

from diegosouzapw/awesome-omni-skill

Map identified threats to appropriate security controls and mitigations. Use when prioritizing security investments, creating remediation plans, or validating control effectiveness. Use when: the task directly matches threat mitigation mapping responsibilities within plugin security-scanning. Do not use when: a more specific framework or task-focused skill is clearly a better match.

security-scan-dependencies

from diegosouzapw/awesome-omni-skill

Scan a deployed website for outdated dependencies, known CVEs, and security misconfigurations.

security-review

from diegosouzapw/awesome-omni-skill

Performs security reviews of Hone code using OWASP guidelines. Use when reviewing database queries, CSV import logic, API endpoints, authentication, encryption, or when the user asks about security.

security-hardening

from diegosouzapw/awesome-omni-skill

Security best practices for web applications. Covers OWASP Top 10, authentication, authorization, input validation, CSP, and secure headers.

security-environment-standards

from diegosouzapw/awesome-omni-skill

Security and environment configuration standards for web applications, including environment variable management, secure coding practices, and production deployment security. Use when setting up environments, configuring security, or deploying applications.

security-check

from diegosouzapw/awesome-omni-skill

Voer geautomatiseerde security checks uit op codebases. Scant broncode, configuraties en dependencies op kwetsbaarheden met Semgrep, Trivy en Gitleaks. Categoriseert findings per OWASP Top 10 met genormaliseerde severity levels. Gebruik bij security scans, PR reviews, of compliance checks.

security-best-practices

from diegosouzapw/awesome-omni-skill

Perform language and framework specific security best-practice reviews and suggest improvements. Trigger only when the user explicitly requests security best practices guidance, a security review/report, or secure-by-default coding help. Trigger only for supported languages (python, javascript/typescript, go). Do not trigger for general code review, debugging, or non-security tasks.

secure-storage-patterns

from diegosouzapw/awesome-omni-skill

expo-secure-store patterns for sensitive data. Use when storing tokens and credentials.

rust-async-patterns

from diegosouzapw/awesome-omni-skill

Master Rust async programming with Tokio, async traits, error handling, and concurrent patterns. Use when building async Rust applications, implementing concurrent systems, or debugging async code.

reasoning-patterns-v2

from diegosouzapw/awesome-omni-skill

Use this skill for rigorous theoretical derivation with supercollider mode (G1-G7 simultaneous), diffusion reasoning, and synthesis engine. Applies enhanced Dokkado Protocol with generator hooks, meta-pattern recognition, and cognitive state awareness. Essential for MONAD-level framework development, cross-domain isomorphism detection, and resonant pattern synthesis. Evolution of reasoning-patterns with full gremlin-brain integration.

react-ui-patterns

from diegosouzapw/awesome-omni-skill

Modern React UI patterns for loading states, error handling, and data fetching. Use when building UI components, handling async data, or managing UI states.

react-patterns

from diegosouzapw/awesome-omni-skill

Modern React patterns and principles. Hooks, composition, performance, TypeScript best practices.