common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Use when performing any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)
Best use case
common-owasp is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Use when performing any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)
Teams using common-owasp should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/common-owasp/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How common-owasp Compares
| Feature / Agent | common-owasp | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Use when performing any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
SKILL.md Source
# OWASP Top 10 Security Checklist ## **Priority: P0 (CRITICAL)** ## Always-Apply Rules Apply these on **every code write**, not just during dedicated security reviews: - **No IDOR**: Filter every resource query by `owner_id` or `tenantId` alongside any user-supplied ID. `findById(params.id)` without an owner filter is an immediate P0. - **No wildcard CORS**: Restrict to explicit allowlisted origins — never `Access-Control-Allow-Origin: *` on authenticated routes. - **No full entity return**: Always project to a DTO — never serialize raw ORM output to the API response. ## Context-Specific Checklist Activate when: writing security-sensitive features, reviewing PRs, or doing codebase audits. Mark each item: ✅ not affected | ⚠️ needs review | 🔴 confirmed finding. **P0 finding caps Security score at 40/100.** Apply framework-specific security skills alongside this checklist. See [references/owasp-web.md](references/owasp-web.md) and [references/owasp-api.md](references/owasp-api.md) for full detection signals. ### OWASP Web Application Top 10 (2021) | ID | Risk | Key Detection Signal | | --- | ---- | -------------------- | | A01 | Broken Access Control | `findById(params.id)` without owner filter. Route without `@authorize`. | | A02 | Cryptographic Failures | Weak hash (MD5/SHA1) for passwords. HTTP URL hardcoded. No TLS. | | A03 | Injection | String concat in DB queries. Unsanitized input to templates. XSS. | | A04 | Insecure Design | No rate limiting on auth. Missing input validation at entry points. | | A05 | Security Misconfiguration | CORS `*`. Debug mode in prod. Missing security headers (CSP, HSTS). | | A06 | Vulnerable Components | CVE in dependency audit. Unreviewed new direct dependency. | | A07 | Auth Failures | JWT without expiry. No session invalidation on logout. | | A08 | Data Integrity Failures | Unverified JWT/cookie. Deserialization of untrusted input. | | A09 | Logging & Monitoring | No audit log on: deletion, password change, privilege escalation. | | A10 | SSRF | HTTP client with user-controlled URL and no allowlist. | ### OWASP API Security Top 10 (2023) | ID | Risk | Key Detection Signal | | ----- | ---- | -------------------- | | API1 | Broken Object Level Auth (BOLA) | Resource by user-supplied ID without `AND owner_id = currentUser`. | | API2 | Broken Authentication | JWT missing `exp`. Token not revoked on logout. Bearer in URL. | | API3 | Broken Property Level Auth | Full ORM entity returned. No DTO projection. Mass assignment. | | API4 | Unrestricted Resource Consumption | No server-enforced `limit`/`pageSize`. No throttle on heavy ops. | | API5 | Broken Function Level Auth | Admin route reachable without role guard. | | API6 | Unrestricted Business Flow | No verification on OTP/checkout/password-reset flows. | | API8 | Security Misconfiguration | Stack trace in response. CORS `*` on authenticated routes. | | API9 | Improper Inventory Management | Deprecated/undocumented endpoints still reachable. | | API10 | Unsafe API Consumption | Third-party response used without schema validation. | ## References - [OWASP Web App — Full Detection Signals](references/owasp-web.md) - [OWASP API — Full Detection Signals](references/owasp-api.md)
Related Skills
common-observability
Enforce structured JSON logging, OpenTelemetry distributed tracing, and RED metrics across backend services. Use when adding request correlation, setting up tracing spans, defining SLO burn-rate alerts, or instrumenting middleware. (triggers: **/*.service.ts, **/*.handler.ts, **/*.middleware.ts, **/*.interceptor.ts, **/*.go, **/*.java, **/*.kt, **/*.py, logging, tracing, metrics, opentelemetry, observability, slo)
common-mobile-ux-core
Enforce universal mobile UX principles for touch-first interfaces including touch targets, safe areas, and mobile-specific interaction patterns. Use when building mobile screens, handling touch interactions, or validating safe area compliance. (triggers: **/*_page.dart, **/*_screen.dart, **/*_view.dart, **/*.swift, **/*Activity.kt, **/*Screen.tsx, mobile, responsive, SafeArea, touch, gesture, viewport)
common-mobile-animation
Apply motion design principles for mobile apps covering timing curves, transitions, gestures, and performance-conscious animations. Use when implementing screen transitions, gesture-driven interactions, shared-element animations, or optimizing animation frame rates on iOS, Android, or Flutter. (triggers: **/*_page.dart, **/*_screen.dart, **/*.swift, **/*Activity.kt, **/*Screen.tsx, Animation, AnimationController, Animated, MotionLayout, transition, gesture)
common-error-handling
Cross-cutting standards for error design, response shapes, error codes, and boundary placement across API, domain, and infrastructure layers. Use when defining error hierarchies, wrapping exceptions, building standardized error responses, or placing error boundaries in layered architectures. (triggers: **/*.service.ts, **/*.handler.ts, **/*.controller.ts, **/*.go, **/*.java, **/*.kt, **/*.py, error handling, exception, try catch, error boundary, error response, error code, throw)
common-architecture-diagramming
Standards for creating clear, audience-appropriate C4 and UML architecture diagrams with Mermaid. Use when producing system context diagrams, container views, sequence diagrams, or updating ARCHITECTURE.md files. (triggers: ARCHITECTURE.md, **/*.mermaid, **/*.drawio, diagram, architecture, c4, system design, mermaid)
common-architecture-audit
Audit structural debt, logic leakage, and monolithic components across Web, Mobile, and Backend codebases. Use when reviewing architecture, assessing tech debt, detecting logic in wrong layers, or identifying God classes. (triggers: package.json, pubspec.yaml, go.mod, pom.xml, nest-cli.json, architecture audit, code review, tech debt, logic leakage, refactor)
common-api-design
Apply REST API conventions — HTTP semantics, status codes, versioning, pagination, and OpenAPI standards for any framework. Use when designing endpoints, choosing HTTP methods, implementing pagination, or writing OpenAPI specs. (triggers: **/*.controller.ts, **/*.router.ts, **/*.routes.ts, **/routes/**, **/controllers/**, **/handlers/**, rest api, endpoint, http method, status code, versioning, pagination, openapi, api design, api contract)
common-accessibility
Enforce WCAG 2.2 AA compliance with semantic HTML, ARIA roles, keyboard navigation, and color contrast standards for web UIs. Use when building interactive components, adding form labels, fixing focus traps, or auditing a11y compliance. (triggers: **/*.tsx, **/*.jsx, **/*.html, **/*.vue, **/*.component.html, accessibility, a11y, wcag, aria, screen reader, focus, alt text)
common-workflow-writing
Rules for writing concise, token-efficient workflow and skill files. Prevents over-building that requires costly optimization passes. Use when creating or editing workflow files, SKILL.md files, or new skill definitions. (triggers: .agent/workflows/*.md, SKILL.md, create workflow, write workflow, new skill, new workflow)
common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
common-tdd
Implements a strict Red-Green-Refactor loop to ensure zero production code is written without a prior failing test. Use when: creating new features, fixing bugs, or expanding test coverage. (triggers: **/*.test.ts, **/*.spec.ts, **/*_test.go, **/*Test.java, **/*_test.dart, **/*_spec.rb, tdd, unit test, write test, red green refactor, failing test, test coverage)
common-system-design
Enforce separation of concerns, dependency inversion, and resilience patterns across layered and distributed architectures. Use when designing new features, evaluating module boundaries, selecting architectural patterns, or resolving scalability bottlenecks. (triggers: architecture, design, system, scalability, microservice, module boundary, coupling)