security-testing_skill

This skill helps you validate security features before deployment by testing CSRF, rate limiting, input validation, and security headers.
  • JavaScript

4

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill harperaa/secure-claude-skills --skill security-testing

  • SKILL.md15.5 KB

Overview

This skill tests security features and verifies implementation before deployment. It runs automated and manual checks for CSRF protection, rate limiting, input validation, security headers, authentication/authorization, dependency vulnerabilities, and a pre-deployment checklist. Use it to catch regressions and ensure production readiness.

How this skill works

The skill provides scripts and step-by-step curl checks that exercise endpoints and headers, plus a composite bash test runner for CI. It runs rate-limit simulations, CSRF token flows (including missing, invalid, and reused tokens), input validation and sanitization checks, header inspections, npm audits, and environment checks from a pre-deployment checklist. Results are printed and return nonzero on failures so CI can block merges.

When to use it

  • Before each production deployment or release candidate
  • When adding or changing authentication, rate limiting, or CSRF logic
  • After dependency updates or major package upgrades
  • When hardening headers or introducing third-party embeds
  • During CI/CD to prevent regressions

Best practices

  • Run automated security-test.sh in CI and fail the pipeline on any failure
  • Keep secrets out of source control and verify production env variables are set
  • Use real-like test accounts and session cookies when testing auth and subscription flows
  • Test both positive and negative cases: valid tokens and malformed/missing inputs
  • Run npm audit --production and monitor Dependabot or similar alerts regularly
  • Verify HSTS and CSP only in production environment and test via deployed URL

Example use cases

  • Run node scripts/test-rate-limit.js to confirm 5 requests/minute limit and window reset behavior
  • Manually exercise CSRF flows: fetch token, post with token, attempt reuse and invalid token scenarios
  • Post malicious payloads to validate XSS sanitization and length/email validation errors
  • Use curl -I to verify Content-Security-Policy, X-Frame-Options, X-Content-Type-Options and production HSTS
  • Add the security test script to GitHub Actions to run npm audit, header checks, and the bundled test suite on push

FAQ

Any test that returns unexpected output, missing security headers, npm audit showing vulnerabilities in production deps, or scripted checks that report failures will return nonzero and fail CI.

How do I test CSRF locally?

Fetch the CSRF token endpoint while saving cookies, then include the token plus the cookie in subsequent POST requests; verify missing, invalid, and reused token behavior matches expected 403 responses.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational