- Home
- Skills
- Rubenpenap
- Epic Stack Agent Skills
- Epic Security
epic-security_skill
3
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill rubenpenap/epic-stack-agent-skills --skill epic-security- SKILL.md15.1 KB
Overview
This skill provides practical security guidance and patterns for Epic Stack applications, covering CSP, rate limiting, session management, input validation, headers, and secrets. It focuses on fail-fast checks, developer-friendly errors, and concrete code patterns to harden web apps without blocking development workflows.
How this skill works
The skill inspects typical web app risks and prescribes configuration and code-level patterns to mitigate them. It explains using Helmet for secure headers and CSP, express-rate-limit for throttling, honeypot checks for spam prevention, cookie session best practices, password hashing, and strict input validation with Zod. Examples show where and how to apply each control in request handlers and middleware.
When to use it
- When adding or hardening Content Security Policy for XSS protection
- When protecting public forms from spam with honeypot fields
- When applying rate limits to APIs and sensitive routes
- When configuring secure session cookies and secret rotation
- When enforcing strict input validation and sanitization
- When ensuring secure headers and HTTPS redirects are in place
Best practices
- Fail fast: authenticate, validate, and authorize early in request handlers
- Provide clear, actionable error messages and log context without leaking secrets
- Keep CSP in report-only during development, enable enforcement in production
- Use httpOnly, secure, sameSite cookies and rotate session secrets
- Rate limit by route sensitivity and use a stable key generator (IP or API key)
- Validate and sanitize all inputs with Zod; normalize emails and usernames
Example use cases
- Public signup form: include HoneypotInputs and run honeypot check before parsing input
- Login and password-reset endpoints: apply strict rate limits (very low limits)
- API endpoints: use an API-specific rate limiter keyed by X-API-Key or client IP
- Session handling: create cookie session storage with httpOnly, secure, sameSite and secret arrays
- Password handling: hash with bcrypt and check against common password lists
FAQ
Keep CSP in report-only mode during development to avoid blocking resources; enable enforcement in production after resolving reported violations.
How do I choose rate limits for routes?
Use conservative limits for sensitive actions (login, signup, reset) and more permissive limits for general traffic. Tune values based on real traffic and testing.