security-overview_skill

This skill helps you understand the defense-in-depth security architecture of Secure Vibe Coding OS across its 5-layer stack and OWASP scoring.
  • JavaScript

4

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill harperaa/secure-claude-skills --skill security-overview

  • SKILL.md19.6 KB

Overview

This skill explains the defense-in-depth security architecture used by Secure Vibe Coding OS. It summarizes the five-layer security stack, core principles (fail-secure, least privilege), and the project's OWASP baseline so you can quickly assess the overall security approach. Use it to decide which targeted security skills to apply for a given API route or integration.

How this skill works

The skill breaks the request path into five layers: security headers middleware, rate limiting, CSRF protection, input validation, and secure error handling, with business logic protected in the middle. It maps each layer to concrete controls (CSP, HSTS, HMAC-SHA256 CSRF tokens, Zod validation, Clerk auth) and shows how to compose them in API routes. It also explains environment-specific behavior and when to call other security skills.

When to use it

  • When you need an executive summary of the app’s security posture or OWASP score
  • When designing a new API route and choosing which protections to apply
  • When deciding whether to enable relaxed dev settings or strict production controls
  • When integrating third-party services (payments, auth, database) and checking responsibilities
  • When evaluating an AI-generated feature for secure defaults

Best practices

  • Always apply withRateLimit on public or expensive endpoints
  • Use withCsrf for state-changing requests (POST/PUT/DELETE)
  • Validate and sanitize all user input with Zod before business logic
  • Fail-secure: return generic errors in production and avoid logging PII
  • Run dependency and security audits before adding packages

Example use cases

  • Protecting a contact form: compose withRateLimit + withCsrf + Zod validation + handleApiError
  • Creating a user-only endpoint: withRateLimit + auth() check + minimal response data
  • Adding a public newsletter signup: rate limit + input validation, no auth required
  • Implementing Stripe webhooks: verify signatures, use payment-security skill, never log card data

FAQ

It means the starter includes controls that place it in the top 10% of Next.js apps for OWASP coverage; you still must follow checklist items for each new route.

When can I relax protections in development?

In development enable verbose errors and HTTP, but keep validation and basic rate limiting. Production should enforce HSTS, generic errors, and minimal logging.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational