Agent-skills-standard nestjs-security

Implement JWT authentication, RBAC guards, Helmet hardening, and Argon2 hashing in NestJS. Use when adding auth strategies, role-based access control, CSRF protection, or security headers. (triggers: **/*.guard.ts, **/*.strategy.ts, **/auth/**, Passport, JWT, AuthGuard, CSRF, Helmet)

install

source · Clone the upstream repo

git clone https://github.com/HoangNguyen0403/agent-skills-standard

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/HoangNguyen0403/agent-skills-standard "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/nestjs/nestjs-security" ~/.claude/skills/hoangnguyen0403-agent-skills-standard-nestjs-security && rm -rf "$T"

manifest: skills/nestjs/nestjs-security/SKILL.md

source content

NestJS Security Standards

Priority: P0 (CRITICAL)

Workflow: Secure NestJS Application

Add Helmet —
```
app.use(helmet())
```
in
```
main.ts
```
for HSTS, CSP headers.
Configure JWT strategy — Use
```
passport-jwt
```
with RS256; validate
```
iss
```
and
```
aud
```
claims.
Bind global AuthGuard — Register as
```
APP_GUARD
```
; use
```
@Public()
```
for open routes.
Add throttling — Enable
```
@nestjs/throttler
```
with Redis store for rate limiting.

Hash with Argon2id — Replace bcrypt with

argon2.hash(password, { type: argon2.argon2id })

Verify — Run
```
npm audit --prod
```
and test that unauthenticated requests return 401.

Global Auth Guard Example

See implementation examples

Argon2id Hashing Example

See implementation examples

Authentication (JWT)

Strategy: Use
```
@nestjs/passport
```
with
```
passport-jwt
```
.
Algorithm: Enforce
```
RS256
```
(preferred) or
```
HS256
```
. Reject
none
.
Claims: Validate
```
iss
```
and
```
aud
```
.
Tokens: Short access (15m), Long httponly refresh (7d).
MFA: Require 2FA for admin panels.

Authorization (RBAC)

Deny by default: Bind
```
AuthGuard
```
globally (APP_GUARD).
Bypass: Create
```
@Public()
```
decorator for open routes.
Roles: Use
```
Reflector.getAllAndOverride
```
for Method/Class merge.

Cryptography

Hashing: Use Argon2id, not Bcrypt. See implementation.
Encryption: Use AES-256-GCM with KMS rotation. See implementation.

Hardening

Helmet: Mandatory. Enable HSTS, CSP.
CORS: Explicit origins only. No
```
*
```
.
Throttling: Use Redis-backed
```
@nestjs/throttler
```
in production.
CSRF: Required for cookie-based auth. See implementation.

Data Protection

Sanitization: Use
```
ClassSerializerInterceptor
```
+
```
@Exclude()
```
.
Validation:
```
ValidationPipe({ whitelist: true })
```
to prevent mass assignment.
Audit: Log mutations (Who, What, When). See implementation.

Secrets Management

CI/CD: Run
```
npm audit --prod
```
in pipelines.
Runtime: Inject via vault (AWS Secrets Manager / HashiCorp Vault), not
```
.env
```
.

Anti-Patterns

No Shadow APIs: Audit routes regularly; disable
```
/docs
```
in production.
No SSRF: Allowlist domains for all outgoing HTTP requests.
No SQLi: Use ORM; avoid raw
```
query()
```
with string concatenation.
No XSS: Sanitize HTML input with
```
dompurify
```
.