skills for everythingAgent Skill
2/7/2026security-best-practices
Security best practices, OWASP guidelines, secure coding patterns, and vulnerability prevention. Use when implementing authentication, handling user input, securing APIs, managing secrets, or reviewing code for security vulnerabilities.
J
jonathan0823
2GitHub Stars
1Views
npx skills add Jonathan0823/opencode-config
SKILL.md
| Name | security-best-practices |
| Description | Security best practices, OWASP guidelines, secure coding patterns, and vulnerability prevention. Use when implementing authentication, handling user input, securing APIs, managing secrets, or reviewing code for security vulnerabilities. |
name: security-best-practices description: Security best practices, OWASP guidelines, secure coding patterns, and vulnerability prevention. Use when implementing authentication, handling user input, securing APIs, managing secrets, or reviewing code for security vulnerabilities. license: MIT compatibility: opencode
Security Best Practices Skill
Overview
This skill provides security guidelines following OWASP Top 10, secure coding patterns, authentication/authorization best practices, secrets management, and vulnerability prevention across multiple languages.
OWASP Top 10 Summary
- Injection - Use parameterized queries, never concatenate user input into SQL/commands
- Broken Authentication - Implement strong passwords, secure sessions, rate limiting
- Sensitive Data Exposure - Encrypt data at rest, use HTTPS, hash passwords
- XML External Entities (XXE) - Disable external entities in XML parsers
- Broken Access Control - Enforce authorization checks, implement resource-level controls
- Security Misconfiguration - Secure defaults, minimal privileges, regular updates
- Cross-Site Scripting (XSS) - Escape output, sanitize input, use CSP headers
- Insecure Deserialization - Use JSON instead of pickle, validate data
- Known Vulnerabilities - Regular dependency scanning, keep components updated
- Insufficient Logging - Log security events, monitor for anomalies
Quick Security Checklist
Input Validation
- Validate all user input on server side
- Use allowlists, not denylists
- Sanitize data before display (prevent XSS)
- Validate file uploads (type, size, extension)
Authentication
- Use strong password requirements (12+ chars, complexity)
- Hash passwords with bcrypt/Argon2 (not MD5/SHA1)
- Implement rate limiting on login endpoints
- Use secure session management (HttpOnly, Secure, SameSite)
Authorization
- Check permissions on every request
- Implement principle of least privilege
- Use resource-level access controls
- Never rely on client-side checks
Data Protection
- Encrypt sensitive data at rest
- Use TLS 1.2+ for all connections
- Set security headers (HSTS, CSP, X-Frame-Options)
- Never log sensitive data (passwords, tokens, PII)
Secrets Management
- Use environment variables or secret managers
- Never commit secrets to version control
- Rotate secrets regularly
- Use different secrets per environment
Common Vulnerabilities Prevention
SQL Injection
# ✅ SAFE: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
# ❌ UNSAFE: String concatenation
query = f"SELECT * FROM users WHERE id = '{user_id}'"
XSS Prevention
# ✅ SAFE: Template auto-escaping
return render_template('profile.html', username=username)
# ❌ UNSAFE: Raw HTML
return f"<div>{user_input}</div>"
Command Injection
# ✅ SAFE: Use list, not shell
subprocess.run(["ls", "-la", directory], shell=False)
# ❌ UNSAFE: Shell with user input
os.system(f"ls -la {directory}")
Language-Specific Patterns
See detailed guides in references/:
- OWASP Top 10 Details - Comprehensive prevention for all 10 categories
- Secure Coding - Python - Python-specific security patterns
- Secure Coding - JavaScript - Node.js/Frontend security
- Secure Coding - Go - Go security patterns
- Secrets Management - AWS, Vault, GCP secret management
Security Headers
Always include these headers:
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin
When to Use This Skill
Use this skill when:
- Implementing authentication and authorization systems
- Handling user input and data validation
- Setting up HTTPS and security headers
- Managing secrets and credentials
- Configuring CORS and CSP policies
- Reviewing code for security vulnerabilities
- Setting up logging and monitoring
- Configuring Docker and deployment security
Related Skills
@docker-patterns- Container security hardening@ci-cd-pipelines- Security scanning in CI/CD@api-rest-design- API security patterns@postgresql-patterns- Database security@feature-development- Secure development workflow
Skills Info
Original Name:security-best-practicesAuthor:jonathan0823
Download