1. Skill Overview
This skill applies to development work involving authentication/authorization logic, user input or file upload handling, new API endpoint creation, secret/credential usage, payment integration, sensitive data storage/transmission, and third-party API integration. It delivers a systematic security review framework covering the full security lifecycle from code writing through production deployment.
Core Principle: Security is non-negotiable — a single vulnerability can compromise the entire platform. When ambiguity exists, always adopt the more conservative secure implementation.
2. Core Capabilities
2.1 Secret Management
| Bad Practice ❌ |
Secure Practice ✅ |
const apiKey = "sk-proj-xxxxx" |
const apiKey = process.env.OPENAI_API_KEY |
const dbPassword = "password123" |
const dbUrl = process.env.DATABASE_URL |
Mandatory validation checks:
- No hardcoded API keys, tokens, or plaintext passwords anywhere in source code
- All secrets loaded exclusively from environment variables
.env.local added to .gitignore to prevent accidental commit
- No residual secrets present within git commit history
- Production credentials hosted on dedicated secret platforms (Vercel, Railway, etc.)
2.2 Input Validation
- Define strict validation schemas using libraries such as Zod
- Validate file upload attributes: file size, MIME type, and file extension
- Use allowlist validation logic instead of blocklist filtering
- Error messages returned to users must not leak internal sensitive details
import { z } from 'zod'
const CreateUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
age: z.number().int().min(0).max(150)
})
2.3 SQL Injection Prevention
- Never concatenate raw SQL strings with untrusted user input
- Always use parameterized queries, ORMs, or query builders
- Utilize Supabase built-in methods like
.eq() for automatic safe parameter binding
// ❌ Unsafe vulnerable concatenation
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
// ✅ Secure parameterized query
await db.query('SELECT * FROM users WHERE email = $1', [userEmail])
2.4 Authentication & Authorization
| Bad Practice ❌ |
Secure Practice ✅ |
JWT stored in localStorage (high XSS exposure risk) |
JWT stored within HttpOnly, Secure, SameSite=Strict cookies |
- Enforce permission checks before executing any sensitive operations
- Enable Row Level Security (RLS) for all Supabase database tables
- Implement role-based access control (RBAC) for user permission segregation
2.5 XSS Prevention
- Sanitize user-submitted HTML markup using libraries such as DOMPurify
- Configure a restrictive Content Security Policy (CSP) header
- Leverage built-in automatic XSS escaping provided by frontend frameworks like React
import DOMPurify from 'isomorphic-dompurify'
const clean = DOMPurify.sanitize(html, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
ALLOWED_ATTR: []
})
2.6 CSRF Protection
- Attach CSRF tokens to all state-modifying write operations
- Set
SameSite=Strict cookie attribute for all session cookies
- Implement the double-submit cookie security pattern
2.7 Rate Limiting
- Apply rate limiting middleware to every API endpoint
- Enforce stricter request quotas for resource-heavy operations such as search
- Support dual rate limiting strategies: IP-based and authenticated user-based tracking
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minute sliding window
max: 100, // Maximum 100 requests per window
message: 'Too many requests'
})
2.8 Sensitive Data Exposure Mitigation
- Never log plaintext passwords, authentication tokens, or full payment card data
- Return generic sanitized error messages to frontend users; retain detailed stack traces only on server-side logs
- Do not expose internal stack traces to client-side consumers
// ❌ Risky: Logging unredacted sensitive fields
console.log('User login:', { email, password })
// ✅ Secure: Redact sensitive credentials
console.log('User login:', { email, userId })
2.9 Blockchain (Solana) Security
- Verify full wallet signature authenticity before processing transactions
- Validate critical transaction parameters: recipient address and transfer amount
- Check user wallet balance prior to initiating outbound transfers
- Avoid blind, unvalidated transaction signing workflows
2.10 Dependency Security
- Execute
npm audit on a regular cadence to scan vulnerable packages
- Commit lockfiles (
package-lock.json / pnpm-lock.yaml) to source control
- Use
npm ci for deterministic dependency installation within CI/CD pipelines
- Enable GitHub Dependabot automated vulnerability alerts
- Schedule regular dependency security patch updates
3. Primary Use Cases
- Code review & security audit — Cross-reference the full checklist to detect common security vulnerabilities during pull request reviews
- Secure development guidance for new features — Reference standardized secure patterns when building authentication, API endpoints, and payment workflows
- Pre-production deployment security validation — Verify all security controls are fully implemented before shipping to production
- Team secure coding training — Serve as standardized secure coding specification documentation for engineering teams
- Vulnerability remediation reference — Quickly locate matching mitigation strategies after identifying security defects
4. Pre-Deployment Mandatory Checklist
All items must be verified and satisfied before production release:
- No hardcoded secrets; all credentials loaded via environment variables
- All untrusted user input fully validated with schema rules
- All database queries use safe parameterized binding
- User-generated HTML content sanitized against XSS
- CSRF protection enabled for all state-changing routes
- Secure token handling via HttpOnly cookies implemented
- Role-based authorization checks enforced for sensitive operations
- Rate limiting applied to every API endpoint
- HTTPS enforced for all production traffic
- Security response headers configured (CSP, X-Frame-Options, etc.)
- Public error messages contain no sensitive internal details
- Log output redacts passwords, tokens, and PII
- Dependencies updated with no unresolved disclosed CVEs
- Supabase Row Level Security enabled for all tables
- CORS origin policy strictly restricted to trusted domains
- File upload validation (size, MIME type, extension) fully functional
- Wallet signature validation implemented (blockchain workflows only)
5. Critical Guiding Principles
- Never hardcode secrets — all sensitive credentials must be injected via environment variables
- Always validate all user input — use schema-based allowlist validation, avoid blocklist logic
- Always use parameterized database queries — raw SQL string concatenation is forbidden
- Store tokens in HttpOnly cookies exclusively; avoid
localStorage for auth state
- Authorize before executing any privileged operation — validate user permissions upfront
- Sanitize all user-submitted HTML markup via dedicated libraries such as DOMPurify
- Enable rate limiting for every exposed API endpoint
- Redact all PII, passwords, and tokens from application log output
- Enable Row Level Security for all Supabase tables
- Regularly update dependencies and remediate all audit vulnerabilities
Summary
Security Review is a comprehensive code audit and security validation skill covering ten core security domains: secret management, input validation, SQL injection defense, authentication & authorization, XSS mitigation, CSRF protection, rate limiting, sensitive data exposure controls, Solana blockchain security, and dependency vulnerability management. It provides clear side-by-side bad/good code examples and a standardized pre-deployment verification checklist. Derived from the ECC project, it serves developers conducting code audits, building new feature functionality, performing pre-production security gates, delivering team secure coding training, and remediating disclosed vulnerabilities, with the core tenet that security is mandatory, as a single flaw can compromise the entire platform.