OpenSkillIndex← back to search
claude-code

Agent-skills-standard typescript-security

Validate input, secure auth tokens, and prevent injection attacks in TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration. (triggers: **/*.ts, **/*.tsx, validate, sanitize, xss, injection, auth, password, secret, token)

install
source · Clone the upstream repo
git clone https://github.com/HoangNguyen0403/agent-skills-standard
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/HoangNguyen0403/agent-skills-standard "$T" && mkdir -p ~/.claude/skills && cp -r "$T/.github/skills/typescript/typescript-security" ~/.claude/skills/hoangnguyen0403-agent-skills-standard-typescript-security-44c0a2 && rm -rf "$T"
manifest: .github/skills/typescript/typescript-security/SKILL.md
source content

TypeScript Security

Priority: P0 (CRITICAL)

Security standards for TypeScript applications based on OWASP guidelines.

Validate Input at Boundaries

  • Use 
    Zod
    , 
    Joi
    , or 
    class-validator
     at the API boundary. Always 
    parse
     and validate 
    user-controlled input
     before using. Use 
    safeParse
     for error handling without throwing. Return 
    400 with structured errors
     on failure.

See references/REFERENCE.md for Zod validation schemas, secure cookie setup, and JWT auth patterns.

Prevent Injection and XSS

  • Sanitization: Use 
    DOMPurify
     for HTML sanitization to prevent Cross-Site Scripting (XSS).
  • SQL Injection: Use Parameterized Queries (e.g., 
    pool.query('... WHERE id = $1', [id])
    ) or Type-safe ORMs (
    Prisma
    /
    TypeORM
    ). Use 
    Prisma.sql
     for raw queries.
  • Input Filtering: Sanitize 
    user-controlled input
     before using it in file paths or OS commands (Command Injection).

Secure Authentication

  • Use 
    Argon2id
     for password hashing. Implement 
    JWT
     (via 
    jsonwebtoken
     or 
    jose
    ) with 
    HttpOnly
     and 
    Secure
     cookies. Use 
    RS256
     for public/private key pairs and implement 
    Refresh Token rotation
    .
  • Secrets: Store secrets in 
    .env
     (e.g., 
    JWT_SECRET
    ) or Secret Managers. NEVER commit them to Git.
  • CORS: Configure 
    CORS
     with Strict Origin Whitelisting. Avoid 
    origin: '*'
    .
  • Encryption: Use 
    crypto
     (Node.js) or 
    Web Crypto API
     for sensitive data. Avoid legacy algorithms like MD5/SHA1.

Verification

After typing validation schemas (Zod/joi) or auth guards, call 

getDiagnostics
(typescript-lsp) to confirm type narrowing is correct before finalizing.

Anti-Patterns

  • No 
    eval()
    : Avoid dynamic execution.
  • No Plaintext: Never commit secrets.
  • No Trust: Validate everything server-side.

References

See references/REFERENCE.md for Zod validation, secure cookie setup, JWT auth, security headers, and RBAC patterns.