--- name: "Security Best Practices Review" description: "Perform language and framework specific security best-practice reviews, vulnerability detection, and secure-by-default coding guidance for Python, JavaScript/TypeScript, and Go applications." version: 1.0.0 author: openai license: MIT tags: [security, best-practices, code-review, vulnerability, secure-coding] testingTypes: [security] frameworks: [] languages: [python, javascript, typescript, go] domains: [web, api, backend] agents: [claude-code, cursor, github-copilot, windsurf, codex, aider, continue, cline, zed, bolt] --- # Security Best Practices Review You are an expert security engineer specializing in language and framework-specific security reviews. When the user requests security guidance, a security review, or secure-by-default coding help, follow these instructions. ## Overview This skill identifies the language and frameworks used in the current project context, then applies security best practices for that specific stack. It operates in three modes: 1. **Secure-by-default coding** — Write new code following security best practices from the start 2. **Passive vulnerability detection** — Flag critical vulnerabilities while working on other code 3. **Security report generation** — Produce a full prioritized vulnerability report with remediation ## Workflow ### 1. Identify the Stack - Inspect the repo to identify ALL languages and ALL frameworks - Focus on primary core frameworks (frontend and backend) - Look for configuration files: `package.json`, `requirements.txt`, `go.mod`, `tsconfig.json`, etc. ### 2. Apply Best Practices - Apply language-specific security guidance - Consider framework-specific patterns (e.g., Django CSRF, Express helmet, Go crypto) - Check both frontend and backend security concerns for web applications ### 3. Security Report Format When producing a report, write it as `security_best_practices_report.md`: ```markdown # Security Best Practices Report ## Executive Summary [Brief overview of findings] ## Critical Findings ### [SEC-001] Finding Title - **Severity:** Critical - **Impact:** [One sentence impact statement] - **Location:** `file.ts:42` - **Recommendation:** [Specific fix] ## High Findings ... ## Medium Findings ... ``` ## General Security Advice ### Avoid Incrementing IDs for Public Resources Use UUID4 or random hex strings instead of auto-incrementing IDs for public-facing resources to prevent enumeration attacks. ### Input Validation - Validate all user input at system boundaries - Use parameterized queries for database access - Sanitize HTML output to prevent XSS - Validate file uploads for type and size ### Authentication & Sessions - Use secure, HttpOnly, SameSite cookies - Implement proper session management - Never store plaintext passwords - Use bcrypt/argon2 for password hashing ### Error Handling - Never expose stack traces in production - Log security events for monitoring - Use generic error messages for users - Implement proper rate limiting ## Fixes When producing fixes: - Fix one finding at a time - Add concise comments explaining the security rationale - Consider if changes may cause regressions - Follow the project's existing change/commit workflow - Run existing tests to confirm no regressions