harperaa/secure-claude-skills
Overview
This skill implements secure subscription payments using Clerk Billing and Stripe while ensuring your servers never handle card data. It provides components, webhook handlers, and examples to set up Stripe Checkout, subscription gating, and server-side verification without exposing sensitive payment details. Use it to simplify PCI scope and reliably manage subscription lifecycle events.
How this skill works
The frontend uses Clerk's PricingTable to open Stripe Checkout; card entry and processing occur on Stripe's servers so your app never stores or transmits card data. Clerk receives Stripe events, verifies webhooks (Svix), and forwards subscription updates to your backend or Convex where you store subscription state and Stripe IDs only. Server-side checks read subscription metadata to gate premium features and respond to webhook events like created, updated, deleted, and payment_failed.
When to use it
- Adding subscription plans with Stripe Checkout via Clerk Billing
- Protecting premium pages or API routes behind paid plans
- Implementing webhook handling for subscription lifecycle events
- Ensuring your app remains out of PCI-DSS scope
- Testing payment flows safely with Stripe test cards
Best practices
- Never store cardholder data; store only Stripe customer/subscription IDs
- Always verify webhook signatures (Svix) before processing events
- Enforce server-side subscription checks for gated features
- Implement idempotency for webhook handling to avoid duplicate work
- Use Stripe test cards and CLI to validate webhook flows locally
Example use cases
- A Pricing page that opens Clerk-managed Stripe Checkout for upgrades
- A protected dashboard route that requires a paid plan via server auth
- Webhook receiver that updates internal DB when subscriptions change
- Automated emails and state changes on subscription.payment_failed events
- Convex HTTP endpoint that ingests Clerk webhooks and runs mutations
FAQ
No. If you never store, process, or transmit card data and rely on Stripe for payments, Stripe handles PCI-DSS scope. You should still follow webhook and access security best practices.
How do I test payments locally?
Use Stripe test card numbers (e.g., 4242 4242 4242 4242) and the Stripe CLI to forward events to your local webhook endpoint.
14 skills
This skill helps you implement secure payments using Clerk Billing and Stripe without handling card data, ensuring PCI-DSS compliance and seamless
This skill helps you implement secure error handling to prevent information leakage and provide safe, environment-aware error responses.
Validate and sanitize user input to prevent XSS, injection attacks, and ensure data quality. Use this skill when you need to validate forms, sanitize user input, prevent cross-site scripting, use Zod schemas, or handle any user-generated content. Triggers include "input validation", "validate input", "XSS", "cross-site scripting", "sanitize", "Zod", "injection prevention", "validateRequest", "safeTextSchema", "user input security".
This skill helps you understand the defense-in-depth security architecture of Secure Vibe Coding OS across its 5-layer stack and OWASP scoring.
This skill analyzes AI-generated authentication and session management code to identify insecure password storage and broken access controls, guiding secure
This skill helps identify and mitigate resource exhaustion and DoS risks in AI-generated code by applying rate limits, quotas, and secure processing.
This skill helps you understand AI-generated code security risks and practical mitigation strategies for vibe coding, improving secure development awareness.
This skill helps you validate security features before deployment by testing CSRF, rate limiting, input validation, and security headers.
This skill helps you secure API routes from cross-site attacks by implementing CSRF protection with token validation.
This skill helps you identify and remediate race conditions, integer overflows, and calculation errors in AI-generated JavaScript code to secure business logic.
This skill analyzes AI-generated code to identify and explain injection vulnerabilities such as SQL injection, command injection, and XSS, with secure
This skill helps you implement secure access control with RBAC, ownership checks, permissions, and testing templates for robust authorization.
This skill provides quick, secure templates for common features using existing utilities, enabling fast, safe implementations like contact forms and public
This skill helps you audit, update, and secure npm dependencies to prevent supply chain attacks and vulnerabilities.