‹ 首页

security-hardening

@developersglobal · 收录于 1 周前

Applies OWASP Top 10, secrets management, and least-privilege principles before any code ships. Security is a build step, not an afterthought.

适合你,如果需要在开发流程中嵌入安全审查

/ 下载安装
security-hardening.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add developersglobal/ai-agent-skills/security-hardening
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- developersglobal/ai-agent-skills/security-hardening
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify developersglobal/ai-agent-skills/security-hardening
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
64GitHub stars
~1.1K上下文体积 · 单文件
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · f47f948
Overview

Security vulnerabilities are almost always cheaper to prevent than to remediate. This skill embeds security review as a required gate in the development workflow — not a separate audit that happens later (and often never).

When to Use
  • Before any code involving user input
  • Before any code touching authentication, authorization, or sessions
  • Before any API endpoint is created or modified
  • Before any code that handles secrets, credentials, or PII
  • Before any code that makes outbound network requests
Process
Step 1: Threat Model the Change
  1. Ask: Who are the attackers? What are they trying to achieve?
  2. Identify all trust boundaries in the code:
  3. Where does user-controlled data enter the system?
  4. Where does that data flow?
  5. Where is it stored or transmitted?
  6. For each trust boundary, name the top 3 attack vectors.

Verify: You can name at least one realistic attack scenario for this code.

Step 2: Apply OWASP Top 10 Checklist
  1. For each applicable item, confirm it is addressed:

| OWASP Item | Check | |------------|-------| | A01 Broken Access Control | Authorization checked at every endpoint? Principle of least privilege applied? | | A02 Cryptographic Failures | No plaintext PII/secrets? Using modern algorithms (AES-256, SHA-256+)? TLS everywhere? | | A03 Injection | All user input parameterized/sanitized? No raw SQL/shell construction? | | A04 Insecure Design | Threat model done? Secure defaults? Fail closed (not open)? | | A05 Security Misconfiguration | No default credentials? Unnecessary features disabled? Error messages don't leak internals? | | A06 Vulnerable Components | Dependencies up to date? Known CVEs checked? | | A07 Auth Failures | Brute-force protection? Session management correct? MFA available? | | A08 Software Integrity | Dependencies verified? Supply chain integrity? | | A09 Logging Failures | Security events logged? No secrets in logs? Logs protected from tampering? | | A10 SSRF | Outbound requests validated? Internal IPs blocked from user-controlled URLs? |

Verify: Each applicable item is either addressed or explicitly accepted as a known risk.

Step 3: Secrets Management
  1. No hardcoded secrets — ever. Not even in dev/test code.
  2. Secrets are stored in: environment variables, secrets manager (Vault, AWS Secrets Manager, etc.), or encrypted config.
  3. Secrets are never logged, printed, or included in error messages.
  4. Secrets are never committed to git (check .gitignore and use pre-commit hooks).

Verify: git grep -i 'password\|secret\|key\|token' returns no hardcoded values in code.

Step 4: Input Validation
  1. Every piece of external input is validated:
  2. Type check
  3. Length/size limits
  4. Allowlist of expected values (not blocklist)
  5. Reject and log unexpected input — never silently ignore
  6. User-controlled data is never concatenated into SQL, shell commands, HTML, or file paths without proper escaping/parameterization.

Verify: All external input has explicit validation with reject-by-default behavior.

Step 5: Least Privilege
  1. Database connections use the minimum required permissions.
  2. API tokens have the minimum required scopes.
  3. Service accounts cannot access resources they don't need.
  4. Default deny — access must be explicitly granted, not implicitly inherited.

Verify: List every permission granted by this code. Is each one required?

Common Rationalizations (and Rebuttals)

| Excuse | Rebuttal | |--------|----------| | "It's internal only" | Internal services get breached too. Zero-trust applies internally. | | "We'll add auth later" | Auth bolted on later is always broken. Design it in from the start. | | "The input is from our own frontend" | Attackers don't use your frontend. Validate on the server, always. | | "It's a dev environment" | Dev environments get credentials from prod. Treat them accordingly. | | "The secret is in a config file, not code" | Is the config file in git? Is it world-readable? Config files are not safe. |

Red Flags
  • User input directly interpolated into queries or commands
  • Authentication middleware that can be bypassed
  • Error messages that include stack traces or SQL queries
  • API keys or passwords in source code or comments
  • Missing authorization check on any endpoint
  • HTTP used instead of HTTPS for any sensitive data
Verification
  • [ ] OWASP Top 10 checklist reviewed for applicable items
  • [ ] No hardcoded secrets (git grep clean)
  • [ ] All external input validated (type, length, allowlist)
  • [ ] No raw SQL/shell from user input
  • [ ] Least privilege applied to all credentials
  • [ ] Security events are logged (but secrets are not)
  • [ ] Dependency vulnerabilities checked
References
  • OWASP Top 10
  • [prompt-injection-defense skill](../prompt-injection-defense/SKILL.md)
  • [references/security-checklist.md](../../references/security-checklist.md)
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。