‹ 首页

secure-code-guardian

@jeffallan · 收录于 1 周前 · 上游提交 1 个月前

Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities — including custom security implementations such as hashing passwords with bcrypt/argon2, sanitizing SQL queries with parameterized statements, configuring CORS/CSP headers, validating input with Zod, and setting up JWT tokens. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention, secure session management, and security hardening. For pre-built OAuth/SSO integrations or standalone security audits, consider a more specialized skill.

适合你,如果你需要在代码中实现认证、授权或输入验证等安全措施

/ 下载安装
secure-code-guardian.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add jeffallan/claude-skills/secure-code-guardian
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- jeffallan/claude-skills/secure-code-guardian
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify jeffallan/claude-skills/secure-code-guardian
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
10501GitHub stars
~1.4K最小装载
~4.7K含声明引用
~4.7K文本包总量
镜像托管

怎么用

商店整理自技能原文 · 版本 e8be415 · 表述以原文为准
它做什么

装上后,Claude 会帮你编写安全的代码,比如用 bcrypt 加密密码、用参数化查询防止 SQL 注入、用 Zod 验证输入,并设置安全头。

什么时候触发

当你要求实现身份验证、授权、输入验证、加密或防范 OWASP Top 10 漏洞时触发。

装好后可以这样说
Claude 会生成安全的密码哈希代码。
Claude 会使用参数化查询实现。
Claude 会添加 helmet 中间件设置安全头。
技能原文 SKILL.md作者撰写 · MIT · e8be415

Secure Code Guardian

Core Workflow
  1. Threat model — Identify attack surface and threats
  2. Design — Plan security controls
  3. Implement — Write secure code with defense in depth; see code examples below
  4. Validate — Test security controls with explicit checkpoints (see below)
  5. Document — Record security decisions
Validation Checkpoints

After each implementation step, verify:

  • Authentication: Test brute-force protection (lockout/rate limit triggers), session fixation resistance, token expiration, and invalid-credential error messages (must not leak user existence).
  • Authorization: Verify horizontal and vertical privilege escalation paths are blocked; test with tokens belonging to different roles/users.
  • Input handling: Confirm SQL injection payloads (' OR 1=1--) are rejected; confirm XSS payloads (<script>alert(1)</script>) are escaped or rejected.
  • Headers/CORS: Validate with a security scanner (e.g., curl -I, Mozilla Observatory) that security headers are present and CORS origin allowlist is correct.
Reference Guide

Load detailed guidance based on context:

| Topic | Reference | Load When | |-------|-----------|-----------| | OWASP | references/owasp-prevention.md | OWASP Top 10 patterns | | Authentication | references/authentication.md | Password hashing, JWT | | Input Validation | references/input-validation.md | Zod, SQL injection | | XSS/CSRF | references/xss-csrf.md | XSS prevention, CSRF | | Headers | references/security-headers.md | Helmet, rate limiting |

Constraints
MUST DO
  • Hash passwords with bcrypt/argon2 (never MD5/SHA-1/unsalted hashes)
  • Use parameterized queries (never string-interpolated SQL)
  • Validate and sanitize all user input before use
  • Implement rate limiting on auth endpoints
  • Set security headers (CSP, HSTS, X-Frame-Options)
  • Log security events (failed auth, privilege escalation attempts)
  • Store secrets in environment variables or secret managers (never in source code)
MUST NOT DO
  • Store passwords in plaintext or reversibly encrypted form
  • Trust user input without validation
  • Expose sensitive data in logs or error responses
  • Use weak or deprecated algorithms (MD5, SHA-1, DES, ECB mode)
  • Hardcode secrets or credentials in code
Code Examples
Password Hashing (bcrypt)
import bcrypt from 'bcrypt';

const SALT_ROUNDS = 12; // minimum 10; 12 balances security and performance

export async function hashPassword(plaintext: string): Promise<string> {
  return bcrypt.hash(plaintext, SALT_ROUNDS);
}

export async function verifyPassword(plaintext: string, hash: string): Promise<boolean> {
  return bcrypt.compare(plaintext, hash);
}
Parameterized SQL Query (Node.js / pg)
// NEVER: `SELECT * FROM users WHERE email = '${email}'`
// ALWAYS: use positional parameters
import { Pool } from 'pg';
const pool = new Pool();

export async function getUserByEmail(email: string) {
  const { rows } = await pool.query(
    'SELECT id, email, role FROM users WHERE email = $1',
    [email]  // value passed separately — never interpolated
  );
  return rows[0] ?? null;
}
Input Validation with Zod
import { z } from 'zod';

const LoginSchema = z.object({
  email: z.string().email().max(254),
  password: z.string().min(8).max(128),
});

export function validateLoginInput(raw: unknown) {
  const result = LoginSchema.safeParse(raw);
  if (!result.success) {
    // Return generic error — never echo raw input back
    throw new Error('Invalid credentials format');
  }
  return result.data;
}
JWT Validation
import jwt from 'jsonwebtoken';

const JWT_SECRET = process.env.JWT_SECRET!; // never hardcode

export function verifyToken(token: string): jwt.JwtPayload {
  // Throws if expired, tampered, or wrong algorithm
  const payload = jwt.verify(token, JWT_SECRET, {
    algorithms: ['HS256'],   // explicitly allowlist algorithm
    issuer: 'your-app',
    audience: 'your-app',
  });
  if (typeof payload === 'string') throw new Error('Invalid token payload');
  return payload;
}
Securing an Endpoint — Full Flow
import express from 'express';
import rateLimit from 'express-rate-limit';
import helmet from 'helmet';

const app = express();
app.use(helmet()); // sets CSP, HSTS, X-Frame-Options, etc.
app.use(express.json({ limit: '10kb' })); // limit payload size

const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 10,                   // 10 attempts per window per IP
  standardHeaders: true,
  legacyHeaders: false,
});

app.post('/api/login', authLimiter, async (req, res) => {
  // 1. Validate input
  const { email, password } = validateLoginInput(req.body);

  // 2. Authenticate — parameterized query, constant-time compare
  const user = await getUserByEmail(email);
  if (!user || !(await verifyPassword(password, user.passwordHash))) {
    // Generic message — do not reveal whether email exists
    return res.status(401).json({ error: 'Invalid credentials' });
  }

  // 3. Authorize — issue scoped, short-lived token
  const token = jwt.sign(
    { sub: user.id, role: user.role },
    JWT_SECRET,
    { algorithm: 'HS256', expiresIn: '15m', issuer: 'your-app', audience: 'your-app' }
  );

  // 4. Secure response — token in httpOnly cookie, not body
  res.cookie('token', token, { httpOnly: true, secure: true, sameSite: 'strict' });
  return res.json({ message: 'Authenticated' });
});
Output Templates

When implementing security features, provide:

  1. Secure implementation code
  2. Security considerations noted
  3. Configuration requirements (env vars, headers)
  4. Testing recommendations
Knowledge Reference

OWASP Top 10, bcrypt/argon2, JWT, OAuth 2.0, OIDC, CSP, CORS, rate limiting, input validation, output encoding, encryption (AES, RSA), TLS, security headers

Documentation

按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。