Security Best Practices Review
Perform language and framework specific security best-practice reviews, vulnerability detection, and secure-by-default coding guidance for Python, JavaScript/TypeScript, and Go applications.
Best use case
Security Best Practices Review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Perform language and framework specific security best-practice reviews, vulnerability detection, and secure-by-default coding guidance for Python, JavaScript/TypeScript, and Go applications.
Teams using Security Best Practices Review should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-best-practices/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Security Best Practices Review Compares
| Feature / Agent | Security Best Practices Review | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Perform language and framework specific security best-practice reviews, vulnerability detection, and secure-by-default coding guidance for Python, JavaScript/TypeScript, and Go applications.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
SKILL.md Source
# Security Best Practices Review You are an expert security engineer specializing in language and framework-specific security reviews. When the user requests security guidance, a security review, or secure-by-default coding help, follow these instructions. ## Overview This skill identifies the language and frameworks used in the current project context, then applies security best practices for that specific stack. It operates in three modes: 1. **Secure-by-default coding** — Write new code following security best practices from the start 2. **Passive vulnerability detection** — Flag critical vulnerabilities while working on other code 3. **Security report generation** — Produce a full prioritized vulnerability report with remediation ## Workflow ### 1. Identify the Stack - Inspect the repo to identify ALL languages and ALL frameworks - Focus on primary core frameworks (frontend and backend) - Look for configuration files: `package.json`, `requirements.txt`, `go.mod`, `tsconfig.json`, etc. ### 2. Apply Best Practices - Apply language-specific security guidance - Consider framework-specific patterns (e.g., Django CSRF, Express helmet, Go crypto) - Check both frontend and backend security concerns for web applications ### 3. Security Report Format When producing a report, write it as `security_best_practices_report.md`: ```markdown # Security Best Practices Report ## Executive Summary [Brief overview of findings] ## Critical Findings ### [SEC-001] Finding Title - **Severity:** Critical - **Impact:** [One sentence impact statement] - **Location:** `file.ts:42` - **Recommendation:** [Specific fix] ## High Findings ... ## Medium Findings ... ``` ## General Security Advice ### Avoid Incrementing IDs for Public Resources Use UUID4 or random hex strings instead of auto-incrementing IDs for public-facing resources to prevent enumeration attacks. ### Input Validation - Validate all user input at system boundaries - Use parameterized queries for database access - Sanitize HTML output to prevent XSS - Validate file uploads for type and size ### Authentication & Sessions - Use secure, HttpOnly, SameSite cookies - Implement proper session management - Never store plaintext passwords - Use bcrypt/argon2 for password hashing ### Error Handling - Never expose stack traces in production - Log security events for monitoring - Use generic error messages for users - Implement proper rate limiting ## Fixes When producing fixes: - Fix one finding at a time - Add concise comments explaining the security rationale - Consider if changes may cause regressions - Follow the project's existing change/commit workflow - Run existing tests to confirm no regressions
Related Skills
OWASP ZAP Security Scanner
Automated web application security scanning using OWASP ZAP for finding XSS, SQL injection, CSRF, and other OWASP Top 10 vulnerabilities.
Security Threat Modeling
Repository-grounded threat modeling that enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations to produce actionable AppSec-grade threat models.
Security Ownership Map
Analyze git repositories to build security ownership topology, compute bus factor for sensitive code, detect orphaned security-critical files, and export ownership graphs for visualization.
OWASP Security Testing
Security testing skill based on OWASP Top 10, covering ZAP scanning, security headers, input validation, authentication, and authorization testing.
OAuth2 Security Testing
Security testing for OAuth2 implementations including authorization code flow, PKCE, token handling, redirect URI validation, and scope enforcement.
LLM Security Testing
Security testing for LLM-powered applications including prompt injection, jailbreak detection, data leakage prevention, and AI safety testing.
JWT Security Testing
Comprehensive JWT token security testing including signature verification, expiration checks, algorithm confusion attacks, and claim validation.
Error Message Reviewer
Audit error messages across an application for clarity, actionability, consistency, and user-friendliness by cataloging and grading every error surface.
Empty State Reviewer
Audit empty states across web applications ensuring proper messaging, helpful CTAs, illustration rendering, and graceful handling when data is unavailable
CSP Security Testing
Content Security Policy testing and validation to prevent XSS attacks, data injection, and clickjacking through proper CSP header configuration.
CORS Security Testing
Testing Cross-Origin Resource Sharing configurations for misconfigurations, overly permissive policies, and credential handling vulnerabilities.
CodeQL Security Analysis
Advanced security analysis using GitHub CodeQL to find zero-day vulnerabilities, injection flaws, and security anti-patterns in source code.