security
Protect your SaaS app from common vulnerabilities. Use when building auth, handling user data, or deploying features. Covers authentication, data protection, API security, and OWASP Top 10 for non-technical founders using AI tools.
Best use case
security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Protect your SaaS app from common vulnerabilities. Use when building auth, handling user data, or deploying features. Covers authentication, data protection, API security, and OWASP Top 10 for non-technical founders using AI tools.
Teams using security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/4-secure/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security Compares
| Feature / Agent | security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Protect your SaaS app from common vulnerabilities. Use when building auth, handling user data, or deploying features. Covers authentication, data protection, API security, and OWASP Top 10 for non-technical founders using AI tools.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security ## Security Checklist ``` Security Basics: - [ ] Authentication required for protected routes - [ ] Passwords hashed (bcrypt/argon2), never stored plain text - [ ] API keys in environment variables, not code - [ ] HTTPS only in production - [ ] Input validated on server side - [ ] SQL injection prevented (use parameterized queries) - [ ] XSS prevented (sanitize user input) - [ ] CSRF tokens on forms - [ ] Rate limiting on API endpoints - [ ] User sessions expire (30min-1hr typical) ``` See [COMMON-VULNS.md](COMMON-VULNS.md) for detailed checks. --- ## Critical: Never Store These in Code **Move to environment variables:** - Database passwords - API keys (Stripe, SendGrid, etc) - JWT secrets - OAuth client secrets - Encryption keys **Tell AI:** ``` Store API keys in .env file, not in code. Add .env to .gitignore. Access via process.env.API_KEY ``` --- ## Authentication Basics **Minimum requirements:** - Passwords: 8+ chars, require number/symbol - Hash passwords (bcrypt with 10+ rounds) - Email verification for signups - Password reset via email only - Sessions expire (30-60 min idle) - Logout clears session completely **Tell AI:** ``` Add authentication: - bcrypt for password hashing (12 rounds) - Email verification required - Session timeout: 30 minutes - Password requirements: 8+ chars, 1 number, 1 symbol ``` See [SECURITY-PROMPTS.md](SECURITY-PROMPTS.md) for implementation details. --- ## Data Protection **Always encrypt:** - Passwords (hashed, not encrypted) - Payment info (use Stripe, don't store cards) - Personal identifiable information (PII) **Never log:** - Passwords (even hashed) - Credit card numbers - API keys - Session tokens **Tell AI:** ``` Never log sensitive data. Replace passwords/tokens with "[REDACTED]" in logs. ``` --- ## API Security **Required for all API endpoints:** - Authentication check - Rate limiting (prevent abuse) - Input validation - Error messages don't leak info **Tell AI:** ``` Add to all API routes: - Require valid auth token - Rate limit: 100 requests/minute per IP - Validate all inputs (reject invalid) - Generic error messages (no stack traces to users) ``` --- ## Common Vulnerabilities **Most common in AI-built apps:** 1. **Exposed API keys** - In code instead of .env 2. **No rate limiting** - APIs can be spammed 3. **Missing auth checks** - Routes accessible without login 4. **SQL injection** - Raw SQL with user input 5. **XSS attacks** - Unescaped user content displayed See [COMMON-VULNS.md](COMMON-VULNS.md) for how to check. --- ## Security Prompts for AI **Adding authentication:** ``` Add authentication to this route. Require valid JWT token. Return 401 if missing/invalid. Don't expose error details. ``` **Rate limiting:** ``` Add rate limiting: - 100 requests/minute per IP - Return 429 "Too many requests" if exceeded - Use sliding window, not fixed ``` **Input validation:** ``` Validate all user inputs: - Email: valid format - Password: 8+ chars, 1 number, 1 symbol - Username: alphanumeric only, 3-20 chars Reject invalid input with clear error message ``` See [SECURITY-PROMPTS.md](SECURITY-PROMPTS.md) for more. --- ## Pre-Launch Security Review **Before deploying:** ``` Production Security: - [ ] All secrets in environment variables - [ ] HTTPS enforced (no HTTP) - [ ] Database backups configured - [ ] Rate limiting on all APIs - [ ] Error pages don't show stack traces - [ ] Admin routes protected - [ ] File uploads validated (type, size) - [ ] CORS configured (not wildcard "*") ``` --- ## When to Get Security Audit **Signs you need expert review:** - Handling payments directly (not Stripe) - Storing health/financial data - Multi-tenant with data isolation - Over 1,000 users - Processing sensitive PII **For most MVPs:** Following this checklist is sufficient. --- ## Common Founder Mistakes | Mistake | Fix | |---------|-----| | API keys in code | Move to .env | | No rate limiting | Add to all endpoints | | Plain text passwords | Use bcrypt | | HTTP in production | Force HTTPS | | Accepting all CORS | Whitelist domains | | No input validation | Validate server-side | | Detailed error messages | Generic messages only | --- ## Quick Wins **Easy security improvements:** 1. Add Helmet.js (Node) - Sets security headers 2. Use HTTPS everywhere - Force in production 3. Add rate limiting - Prevents abuse 4. Environment variables - Keep secrets safe 5. Update dependencies - Fix known vulnerabilities **Tell AI:** ``` Add helmet.js for security headers. Configure for production (HTTPS, CSP, XSS protection). ``` --- ## Testing Security **Quick checks:** **Exposed secrets:** ```bash grep -r "api_key" src/ grep -r "password" src/ # Should only find references to env vars ``` **No auth bypass:** - Try accessing protected routes without login - Should redirect to login or return 401 **Rate limiting works:** - Hit API endpoint 100 times quickly - Should get 429 error --- ## Success Looks Like ✅ No secrets in code (all in .env) ✅ Can't access protected routes without auth ✅ Passwords hashed, never stored plain text ✅ Rate limiting prevents abuse ✅ HTTPS enforced in production ✅ Input validated on server side
Related Skills
account-security
Account security - MFA, sessions, recovery. Use when protecting user accounts.
account-security-validation
Validate account security and authentication protocols.
Build Your Cloud Security Skill
Create your cloud security skill in one prompt, then learn to improve it throughout the chapter
Security Specialist
专注于应用安全、认证授权与合规性。
lets-go-rss
A lightweight, full-platform RSS subscription manager that aggregates content from YouTube, Vimeo, Behance, Twitter/X, and Chinese platforms like Bilibili, Weibo, and Douyin, featuring deduplication and AI smart classification.
grail-miner
This skill assists in setting up, managing, and optimizing Grail miners on Bittensor Subnet 81, handling tasks like environment configuration, R2 storage, model checkpoint management, and performance tuning.
tech-blog
Generates comprehensive technical blog posts, offering detailed explanations of system internals, architecture, and implementation, either through source code analysis or document-driven research.
whisper-transcribe
Transcribes audio and video files to text using OpenAI's Whisper CLI, enhanced with contextual grounding from local markdown files for improved accuracy.
thor-skills
An entry point and router for AI agents to manage various THOR-related cybersecurity tasks, including running scans, analyzing logs, troubleshooting, and maintenance.
ux
This AI agent skill provides comprehensive guidance for creating professional and insightful User Experience (UX) designs, covering user research, information architecture, interaction design, visual guidance, and usability evaluation. It aims to produce actionable, user-centered solutions that avoid generic AI aesthetics.
ontopo
An AI agent skill to search for Israeli restaurants, check table availability, view menus, and retrieve booking links via the Ontopo platform, acting as an unofficial interface to its data.
vly-money
Generate crypto payment links for supported tokens and networks, manage access to X402 payment-protected content, and provide direct access to the vly.money wallet interface.