Security Skill — AuditKit

This skill is auto-included in the generated ZIP when the Security pillar score is below 90.

10 stars

Best use case

Security Skill — AuditKit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

This skill is auto-included in the generated ZIP when the Security pillar score is below 90.

Teams using Security Skill — AuditKit should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security/SKILL.md --create-dirs "https://raw.githubusercontent.com/nirholas/AuditKit/main/.agents/skills/security/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Security Skill — AuditKit Compares

Feature / AgentSecurity Skill — AuditKitStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

This skill is auto-included in the generated ZIP when the Security pillar score is below 90.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Security Skill — AuditKit

This skill is auto-included in the generated ZIP when the Security pillar score is below 90.

## HTTP Security Headers

Add all of these to every response. Vercel users: add to `vercel.json`. Next.js users: add to `next.config.ts`.

### next.config.ts

```typescript
const securityHeaders = [
  {
    key: 'Strict-Transport-Security',
    value: 'max-age=63072000; includeSubDomains; preload',
  },
  {
    key: 'Content-Security-Policy',
    value: [
      "default-src 'self'",
      "script-src 'self' 'unsafe-inline' 'unsafe-eval'",  // tighten after audit
      "style-src 'self' 'unsafe-inline'",
      "img-src 'self' data: https:",
      "font-src 'self'",
      "connect-src 'self'",
      "frame-ancestors 'none'",
    ].join('; '),
  },
  {
    key: 'X-Frame-Options',
    value: 'DENY',
  },
  {
    key: 'X-Content-Type-Options',
    value: 'nosniff',
  },
  {
    key: 'Referrer-Policy',
    value: 'strict-origin-when-cross-origin',
  },
  {
    key: 'Permissions-Policy',
    value: 'camera=(), microphone=(), geolocation=()',
  },
]

export default {
  async headers() {
    return [{ source: '/(.*)', headers: securityHeaders }]
  },
}
```

### vercel.json

```json
{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" },
        { "key": "X-Frame-Options", "value": "DENY" },
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
        { "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" }
      ]
    }
  ]
}
```

## HTTPS

- Ensure your domain has a valid TLS certificate
- Redirect all HTTP → HTTPS (Vercel does this automatically)
- Use HSTS preloading: https://hstspreload.org

## Content Security Policy (CSP)

Start permissive, then tighten:

```
# Start with report-only to find violations without breaking site:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report
```

## Hide Server Information

```typescript
// next.config.ts — remove X-Powered-By header
export default {
  poweredByHeader: false,
}
```

## Dependency Security

```bash
# Check for known vulnerabilities
pnpm audit

# Auto-fix where possible
pnpm audit --fix
```

Enable Dependabot in `.github/dependabot.yml`:
```yaml
version: 2
updates:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: weekly
```

## Security.txt

Create `public/.well-known/security.txt` so researchers know how to report vulnerabilities:

```
Contact: https://github.com/yourrepo/security/advisories/new
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
```

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.