- Home
- Skills
- Ariegoldkin
- Ai Agent Hub
- Security Checklist
security-checklist_skill
- TypeScript
8
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill ariegoldkin/ai-agent-hub --skill security-checklist- SKILL.md24.9 KB
Overview
This skill delivers a practical security checklist for building and auditing web applications. It focuses on OWASP Top 10 mitigations, authentication patterns, input validation, secure configuration, and compliance guidance. Use it to harden apps, prepare for assessments, and reduce common vulnerability risks.
How this skill works
The skill inspects application controls, configuration, and development patterns against proven mitigations: access control, cryptography, injection prevention, secure design, and logging. It recommends concrete changes (parameterized queries, strong hashing, secure headers, allowlists) and suggests tools to scan dependencies and code. It adapts guidance to the project stack (Node/Python) and highlights operational checks like secrets scanning and CI/CD integrity verification.
When to use it
- During security audits, code reviews, or pre-release checks
- When implementing authentication, authorization, or session management
- While validating and sanitizing user input or upload handling
- When storing or handling sensitive data (PII, credentials, payments)
- Before or during compliance work (GDPR, HIPAA, SOC2)
- Preparing for penetration tests or third-party dependency reviews
Best practices
- Apply defense-in-depth: multiple, independent controls across layers
- Enforce least privilege for users and service accounts
- Validate and sanitize all external input with allowlists where possible
- Use strong, modern cryptography (TLS, Argon2/Bcrypt/Scrypt, key rotation)
- Scan and pin dependencies; integrate audits into CI/CD
- Log security events centrally and alert on suspicious patterns without logging secrets
Example use cases
- Add RBAC and ownership checks to APIs to prevent IDOR and broken access control
- Replace string-built SQL with parameterized queries or ORM queries to eliminate SQL injection
- Hardening production config: disable debug mode, set security headers and secure cookies
- Implement MFA, rate limiting, and account lockout for authentication endpoints
- Run npm audit / pip-audit, Semgrep, and TruffleHog in CI to catch vulnerable packages and leaked secrets
FAQ
Start with npm audit to find dependency issues, then add static analysis (Semgrep) and secrets scanning (TruffleHog) in CI.
How do I prevent sensitive data exposure in logs?
Log only security-relevant metadata, redact or omit tokens and passwords, and centralize logs with role-based access and retention policies.