OpenSkillIndex← back to search
claude-codesecurity

Marketplace security-patterns

Security patterns and OWASP guidelines. Triggers on: security review, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management, input validation, secure coding.

install
source · Clone the upstream repo
git clone https://github.com/aiskillstore/marketplace
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/aiskillstore/marketplace "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/0xdarkmatter/security-patterns" ~/.claude/skills/aiskillstore-marketplace-security-patterns && rm -rf "$T"
manifest: skills/0xdarkmatter/security-patterns/SKILL.md
tags
#security#owasp#web-application#secure-coding#vulnerability-assessment
source content

Security Patterns

Essential security patterns for web applications.

OWASP Top 10 Quick Reference

RankVulnerabilityPrevention
A01Broken Access ControlCheck permissions server-side, deny by default
A02Cryptographic FailuresUse TLS, hash passwords, encrypt sensitive data
A03InjectionParameterized queries, validate input
A04Insecure DesignThreat modeling, secure defaults
A05Security MisconfigurationHarden configs, disable unused features
A06Vulnerable ComponentsUpdate dependencies, audit regularly
A07Auth FailuresMFA, rate limiting, secure session management
A08Data Integrity FailuresVerify signatures, use trusted sources
A09Logging FailuresLog security events, protect logs
A10SSRFValidate URLs, allowlist destinations

Input Validation

# WRONG - Trust user input
def search(query):
    return db.execute(f"SELECT * FROM users WHERE name = '{query}'")

# CORRECT - Parameterized query
def search(query):
    return db.execute("SELECT * FROM users WHERE name = ?", [query])

Validation Rules

Always validate:
- Type (string, int, email format)
- Length (min/max bounds)
- Range (numeric bounds)
- Format (regex for patterns)
- Allowlist (known good values)

Never trust:
- URL parameters
- Form data
- HTTP headers
- Cookies
- File uploads

Output Encoding

// WRONG - Direct HTML insertion
element.innerHTML = userInput;

// CORRECT - Text content (auto-escapes)
element.textContent = userInput;

// CORRECT - Template with escaping
render(`<div>${escapeHtml(userInput)}</div>`);

Encoding by Context

ContextEncoding
HTML bodyHTML entity encode
HTML attributeAttribute encode + quote
JavaScriptJS encode
URL parameterURL encode
CSSCSS encode

Authentication

# Password hashing (use bcrypt, argon2, or scrypt)
import bcrypt

def hash_password(password: str) -> bytes:
    return bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))

def verify_password(password: str, hashed: bytes) -> bool:
    return bcrypt.checkpw(password.encode(), hashed)

Auth Checklist

  • Hash passwords with bcrypt/argon2 (cost factor 12+)
  • Implement rate limiting on login
  • Use secure session tokens (random, long)
  • Set secure cookie flags (HttpOnly, Secure, SameSite)
  • Implement account lockout after failed attempts
  • Support MFA for sensitive operations

Authorization

# WRONG - Check only authentication
@login_required
def delete_post(post_id):
    post = Post.get(post_id)
    post.delete()

# CORRECT - Check authorization
@login_required
def delete_post(post_id):
    post = Post.get(post_id)
    if post.author_id != current_user.id and not current_user.is_admin:
        raise Forbidden("Not authorized to delete this post")
    post.delete()

Secrets Management

# WRONG - Hardcoded secrets
API_KEY = "sk-1234567890abcdef"

# CORRECT - Environment variables
API_KEY = os.environ["API_KEY"]

# BETTER - Secrets manager
API_KEY = secrets_client.get_secret("api-key")

Secret Handling Rules

DO:
- Use environment variables or secrets manager
- Rotate secrets regularly
- Use different secrets per environment
- Audit secret access

DON'T:
- Commit secrets to git
- Log secrets
- Include secrets in error messages
- Share secrets in plain text

Security Headers

Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=()

Quick Security Audit

# Find hardcoded secrets
rg -i "(password|secret|api_key|token)\s*=\s*['\"][^'\"]+['\"]" --type py

# Find SQL injection risks
rg "execute\(f['\"]|format\(" --type py

# Find eval/exec usage
rg "\b(eval|exec)\s*\(" --type py

# Check for TODO security items
rg -i "TODO.*security|FIXME.*security"

Additional Resources

  • ./references/owasp-detailed.md
    - Full OWASP Top 10 details
  • ./references/auth-patterns.md
    - JWT, OAuth, session management
  • ./references/crypto-patterns.md
    - Encryption, hashing, signatures
  • ./references/secure-headers.md
    - HTTP security headers guide

Scripts

  • ./scripts/security-scan.sh
    - Quick security grep patterns
  • ./scripts/dependency-audit.sh
    - Check for vulnerable dependencies