security-expert

Security Expert Skill

Expert in application security for React, Next.js, and NestJS applications.

When to Use This Skill Implementing authentication or authorization Reviewing code for security vulnerabilities Setting up security configurations Handling sensitive data Implementing encryption or hashing Configuring CORS, CSP, or security headers Reviewing dependencies for vulnerabilities Implementing multi-tenancy or data isolation Project Context Discovery Check .agent/SYSTEM/ARCHITECTURE.md for security architecture Review .agent/SYSTEM/critical/CRITICAL-NEVER-DO.md for security rules Identify security patterns and tools Check for [project]-security-expert skill Core Security Principles Authentication & Authorization

Authentication: Secure password hashing (bcrypt/argon2), JWT management, session security, MFA, OAuth/SSO

Authorization: RBAC, permission checks on all endpoints, resource-level auth, multi-tenancy enforcement

Input Validation DTOs with class-validator Sanitize user input Prevent NoSQL/SQL injection Parameterized queries Data Protection Encryption at rest and in transit Passwords hashed (never plaintext) Environment variables for secrets No secrets in code Security Headers X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security Content Security Policy OWASP Top 10 Quick Reference Broken Access Control: Verify auth on all endpoints Cryptographic Failures: Strong encryption, proper hashing Injection: Parameterized queries, input validation Insecure Design: Security by design, threat modeling Security Misconfiguration: Secure defaults, remove unused features Vulnerable Components: Keep dependencies updated Authentication Failures: Strong passwords, MFA, brute force protection Integrity Failures: Secure CI/CD, code signing Logging Failures: Comprehensive logging, monitoring SSRF: Validate URLs, whitelist domains Security Checklist Summary Passwords hashed (bcrypt/argon2) All endpoints protected Multi-tenancy enforced All inputs validated Encryption at rest/transit Security headers configured CORS properly configured Dependencies up to date

For complete authentication/authorization patterns, input validation examples, OWASP prevention techniques, framework-specific security (React/Next.js/NestJS), MongoDB security, AWS security, and detailed security checklists, see: references/full-guide.md