Security Skill — AuditKit
This skill is auto-included in the generated ZIP when the Security pillar score is below 90.
10 stars
bynirholas
Best use case
Security Skill — AuditKit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
This skill is auto-included in the generated ZIP when the Security pillar score is below 90.
Teams using Security Skill — AuditKit should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/security/SKILL.md --create-dirs "https://raw.githubusercontent.com/nirholas/AuditKit/main/.agents/skills/security/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Security Skill — AuditKit Compares
| Feature / Agent | Security Skill — AuditKit | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
This skill is auto-included in the generated ZIP when the Security pillar score is below 90.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Skill — AuditKit
This skill is auto-included in the generated ZIP when the Security pillar score is below 90.
## HTTP Security Headers
Add all of these to every response. Vercel users: add to `vercel.json`. Next.js users: add to `next.config.ts`.
### next.config.ts
```typescript
const securityHeaders = [
{
key: 'Strict-Transport-Security',
value: 'max-age=63072000; includeSubDomains; preload',
},
{
key: 'Content-Security-Policy',
value: [
"default-src 'self'",
"script-src 'self' 'unsafe-inline' 'unsafe-eval'", // tighten after audit
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https:",
"font-src 'self'",
"connect-src 'self'",
"frame-ancestors 'none'",
].join('; '),
},
{
key: 'X-Frame-Options',
value: 'DENY',
},
{
key: 'X-Content-Type-Options',
value: 'nosniff',
},
{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin',
},
{
key: 'Permissions-Policy',
value: 'camera=(), microphone=(), geolocation=()',
},
]
export default {
async headers() {
return [{ source: '/(.*)', headers: securityHeaders }]
},
}
```
### vercel.json
```json
{
"headers": [
{
"source": "/(.*)",
"headers": [
{ "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" },
{ "key": "X-Frame-Options", "value": "DENY" },
{ "key": "X-Content-Type-Options", "value": "nosniff" },
{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" }
]
}
]
}
```
## HTTPS
- Ensure your domain has a valid TLS certificate
- Redirect all HTTP → HTTPS (Vercel does this automatically)
- Use HSTS preloading: https://hstspreload.org
## Content Security Policy (CSP)
Start permissive, then tighten:
```
# Start with report-only to find violations without breaking site:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report
```
## Hide Server Information
```typescript
// next.config.ts — remove X-Powered-By header
export default {
poweredByHeader: false,
}
```
## Dependency Security
```bash
# Check for known vulnerabilities
pnpm audit
# Auto-fix where possible
pnpm audit --fix
```
Enable Dependabot in `.github/dependabot.yml`:
```yaml
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
```
## Security.txt
Create `public/.well-known/security.txt` so researchers know how to report vulnerabilities:
```
Contact: https://github.com/yourrepo/security/advisories/new
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
```Related Skills
We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.