secure-coding-practices
Secure coding practices and defensive programming patterns for building security-first applications. Use when implementing authentication, handling user input, managing sensitive data, or conducting secure code reviews.
Best use case
secure-coding-practices is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Secure coding practices and defensive programming patterns for building security-first applications. Use when implementing authentication, handling user input, managing sensitive data, or conducting secure code reviews.
Teams using secure-coding-practices should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/secure-coding-practices/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How secure-coding-practices Compares
| Feature / Agent | secure-coding-practices | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Secure coding practices and defensive programming patterns for building security-first applications. Use when implementing authentication, handling user input, managing sensitive data, or conducting secure code reviews.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# Secure Coding Practices Comprehensive guidance for implementing security-first development patterns with defensive programming techniques and proactive threat mitigation strategies. ## When to Use This Skill - Implementing authentication and authorization systems - Processing user input or external data - Handling sensitive data (PII, credentials, financial information) - Building APIs and web services - Managing cryptographic operations (hashing, encryption) - Conducting security-focused code reviews - Establishing secure development standards for teams - Evaluating third-party dependencies and libraries - Designing error handling and logging strategies - Implementing session management and token handling ## Core Security Principles ### Defense in Depth Apply multiple layers of security controls - never rely on a single protection mechanism. ### Fail Securely When errors occur, default to the secure state (deny access, reject input, log event). ### Least Privilege Grant minimum necessary permissions - users, services, and databases should have only required access. ### Trust Nothing Validate all input, encode all output, verify all sources, authenticate all requests. ## Quick Reference | Task | Load reference | | --- | --- | | Input validation & sanitization | `skills/secure-coding-practices/references/input-validation.md` | | Output encoding & XSS prevention | `skills/secure-coding-practices/references/output-encoding.md` | | Authentication & sessions | `skills/secure-coding-practices/references/authentication.md` | | Cryptography & key management | `skills/secure-coding-practices/references/cryptography.md` | | Dependencies & supply chain | `skills/secure-coding-practices/references/dependencies.md` | | Error handling & logging | `skills/secure-coding-practices/references/error-handling.md` | | Secure defaults & configuration | `skills/secure-coding-practices/references/secure-defaults.md` | ## Workflow 1. **Identify security requirements** - Authentication, authorization, data protection, compliance 2. **Load relevant references** - Use Quick Reference table to find specific guidance 3. **Implement security controls** - Apply patterns from references with proper context 4. **Validate implementation** - Test with security scanners, penetration testing, code review 5. **Monitor and maintain** - Regular security audits, dependency updates, vulnerability scanning ## Security Checklist **Input Validation:** - [ ] Validate all user input server-side with allowlists - [ ] Use schema validation libraries (Joi, Yup, Zod) - [ ] Implement strict type checking - [ ] Sanitize file paths and prevent traversal **Output Encoding:** - [ ] Apply context-aware encoding (HTML, JS, URL, SQL) - [ ] Use templating engines with auto-escaping - [ ] Implement Content Security Policy (CSP) - [ ] Set secure HTTP headers (Helmet.js) **Authentication & Authorization:** - [ ] Hash passwords with bcrypt/Argon2 (salt rounds ≥12) - [ ] Implement secure session management - [ ] Use HTTPS-only cookies with HttpOnly and SameSite - [ ] Apply rate limiting on authentication endpoints - [ ] Verify authorization on every request **Cryptography:** - [ ] Use AES-256-GCM for encryption - [ ] Generate keys with crypto.randomBytes() - [ ] Store secrets in environment variables or KMS - [ ] Never roll your own crypto **Dependencies:** - [ ] Run npm audit regularly - [ ] Lock dependency versions in package.json - [ ] Use Snyk/Dependabot for monitoring - [ ] Verify package integrity (SRI for CDN) **Error Handling & Logging:** - [ ] Return generic error messages to users - [ ] Log errors with correlation IDs - [ ] Never log passwords, tokens, or PII - [ ] Monitor security events and alerts ## Common Mistakes - Using client-side validation as sole defense (always validate server-side) - Blocklisting instead of allowlisting (define what's allowed, not forbidden) - Exposing stack traces or internal errors to users - Hardcoding secrets in source code - Using Math.random() for security-critical operations - Not implementing rate limiting on authentication endpoints - Loose equality comparisons allowing type coercion attacks - Trusting user input in database queries (SQL injection) - Missing output encoding based on context (XSS vulnerabilities) - Insufficient password hashing (weak algorithms or low work factor) ## High-Risk Code Patterns Watch for these patterns in code reviews: 1. String concatenation in SQL queries (injection risk) 2. Direct file path construction from user input (traversal risk) 3. eval(), Function(), or exec() with user input (code injection) 4. Deserialization of untrusted data (RCE risk) 5. Hardcoded secrets or credentials (exposure risk) 6. Missing authentication/authorization checks (access control) 7. Weak cryptography (MD5, SHA1, ECB mode) 8. Verbose error messages in production (information disclosure) 9. Missing input validation (injection, DoS) 10. Insecure session configuration (hijacking risk) ## Resources **OWASP Resources:** - **OWASP Top 10**: https://owasp.org/Top10/ - **OWASP Cheat Sheet Series**: https://cheatsheetseries.owasp.org/ - **OWASP ASVS**: Application Security Verification Standard - **OWASP Dependency-Check**: https://owasp.org/www-project-dependency-check/ **Standards & Guidelines:** - **NIST Cybersecurity Framework**: https://www.nist.gov/cyberframework - **NIST SP 800-63B**: Digital Identity Guidelines (Authentication) - **CWE Top 25**: https://cwe.mitre.org/top25/ **Tools:** - **SAST**: SonarQube, Semgrep, CodeQL - **DAST**: OWASP ZAP, Burp Suite - **SCA**: Snyk, npm audit, Dependabot - **Secrets Detection**: TruffleHog, git-secrets
Related Skills
terraform-best-practices
Terraform infrastructure-as-code best practices for scalable and maintainable cloud infrastructure. Use when writing Terraform modules, managing infrastructure state, or implementing infrastructure automation at scale.
writing-skills
Use when creating new skills, editing existing skills, or verifying skills work before deployment - applies TDD to process documentation by testing with subagents before writing, iterating until bulletproof against rationalization
workflow-security-audit
Comprehensive security assessment and remediation. Use for security reviews, compliance checks, vulnerability assessments.
workflow-performance
Systematic performance analysis and optimization. Use when things are slow, need optimization, or preparing for scale.
workflow-feature
Complete feature development workflow from design to deployment. Use when implementing new features or functionality.
workflow-feature-development
Complete workflow for developing new features from design to deployment. Use when starting a new feature, adding functionality, or building something new.
workflow-bug-fix
Systematic approach to identifying, fixing, and validating bug fixes. Use when fixing bugs, resolving issues, or addressing errors.
wiring-audit
User-triggered audit that finds wiring drift between a project's UI surfaces and backend capabilities — orphan surfaces (UI calls endpoints/hooks/procedures that no longer exist), unwired capabilities (backend routes/exports that nothing surfaces), shape drift (both exist but contracts mismatch), method drift (URL matches, HTTP verb does not), validation drift (frontend vs backend rules diverged), permission drift (UI exposes what backend forbids or vice versa), stale labels (UI text references renamed backend concepts), and unsurfaced configuration (env vars or flags that gate behavior with no UI or CLI to control them). This skill should be used when the user asks to "audit our wiring," "find UI/backend drift," "find unwired capabilities," "find stale surfaces," "check for contract violations," "find unused endpoints," "find unused hooks," "what mismatches between UI and backend," or any similar request whose deliverable is a prioritized findings report rather than a descriptive snapshot. Generic across UI frameworks but optimized for React applications (hooks, fetch, react-query, SWR, tRPC, server actions, react-router, Next.js). Not for descriptive architectural snapshots (use architectural-analysis), security audits (use security-auditor), or performance audits (use workflow-performance).
webapp-testing
Toolkit for interacting with and testing local web applications using Playwright. Use when verifying frontend functionality, debugging UI behavior, capturing browser screenshots, and viewing browser logs.
web-researcher
Use this skill when you need to research a topic online, gather information from multiple sources, or evaluate source credibility. Trigger phrases: 'research', 'find information about', 'look up', 'investigate'. Not for academic systematic reviews (use literature-reviewer) or fact-checking specific claims (use fact-checker).
visual-modes
Use when activating visual showcase modes (supersaiyan, kamehameha, over9000) for UI or interaction design - provides mode-specific enhancement checklists.
vibe-security
Comprehensive secure coding guide covering OWASP web vulnerabilities with prevention patterns and checklists. Use when writing or reviewing web application code to prevent XSS, CSRF, SSRF, SQL injection, access control flaws, and other common security vulnerabilities.