install
source · Clone the upstream repo
git clone https://github.com/NeverSight/learn-skills.dev
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/NeverSight/learn-skills.dev "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/skills-md/academind/ai-config/web-security" ~/.claude/skills/neversight-learn-skills-dev-web-security && rm -rf "$T"
manifest:
data/skills-md/academind/ai-config/web-security/SKILL.mdsource content
Web Security
We treat web security as a core requirement, not an afterthought. Assume hostile input and untrusted environments by default.
Core Principles
- NEVER trust user input
- ALWAYS validate and sanitize data at boundaries
- Prefer secure defaults over configurability
XSS & Injection
- AVOID
and raw HTML injectiondangerouslySetInnerHTML - Escape and encode dynamic content properly
- Never interpolate untrusted data into HTML, CSS, or JS contexts
- Ensure SQL injection protection
Authentication & Authorization
- Do not store secrets or tokens in insecure locations
- AVOID localStorage for sensitive credentials when possible
- Use HTTP-only, secure cookies where applicable
- Always enforce authorization on the server
Browser Security APIs
- Respect CORS, CSP, and browser security boundaries
- Use Content Security Policy to restrict script and resource execution
- Avoid inline scripts and styles when CSP is enabled
Data Handling
- Minimize data exposure
- Do not log sensitive information
Dependencies & Supply Chain
- Avoid unnecessary packages
- Treat third-party code as untrusted input
General Principles
- Simplicity reduces attack surface
- If unsure, choose the more restrictive option