owasp-security_skill

This skill helps you implement secure coding practices aligned with OWASP Top 10 to prevent vulnerabilities across authentication, APIs, and data protection.

74

GitHub Stars

1

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill hoodini/ai-agents-skills --skill owasp-security

  • SKILL.md13.4 KB

Overview

This skill implements secure coding patterns based on the OWASP Top 10 to prevent common web application vulnerabilities. It provides pragmatic guidance, code patterns, and a pre-deployment checklist for authentication, authorization, input validation, cryptography, logging, and configuration hardening. Use it to harden APIs, login flows, and infrastructure before production deployment. The content is focused on actionable fixes and concrete examples you can apply immediately.

How this skill works

The skill inspects security concerns and recommends fixes for each OWASP Top 10 category: access control, cryptography, injection, insecure design, misconfiguration, vulnerable components, auth failures, XSS, logging, and SSRF. It supplies example code patterns (Node/Express, database queries, headers, token management), validation schemas, and operational controls such as rate limiting, dependency scanning, and secure cookie settings. It also offers a pre-deployment checklist and resources for deeper study.

When to use it

  • During threat modeling and secure design of new features.
  • When implementing or reviewing authentication and authorization flows.
  • Before releasing APIs that accept user input or external URLs.
  • When configuring production environments and security headers.
  • During dependency audits and incident response preparation.

Best practices

  • Enforce authentication and RBAC for every endpoint; verify ownership for resource access.
  • Use parameterized queries and validate input types to stop SQL/NoSQL injection.
  • Hash passwords with bcrypt (cost ≥ 12), use short-lived JWTs and refresh tokens.
  • Harden headers (CSP, HSTS) and secure cookies (httpOnly, secure, sameSite).
  • Scan and pin dependencies, run npm audit/Snyk, and apply overrides for vulnerable packages.

Example use cases

  • Secure an API endpoint by adding middleware that checks user identity and roles.
  • Replace raw SQL concatenation with parameterized queries using Prisma/Knex.
  • Implement rate limiting for auth endpoints to mitigate credential stuffing.
  • Add CSP and DOM sanitization to a React app to prevent XSS when rendering user HTML.
  • Validate external fetch URLs against an allowlist to prevent SSRF.

FAQ

Prioritize controls based on risk: fix critical auth and injection issues first, then address configuration, dependencies, and monitoring. Use the pre-deployment checklist to stage improvements.

How should I handle secrets and encryption keys?

Keep secrets out of source control, load them from environment variables or a secrets manager, and use proven cryptographic libraries. Rotate keys and restrict access via IAM policies.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational