web-security-hardening

Security audit checklist for web applications. Use when reviewing, auditing, or hardening a web app's security posture. Covers rate limiting, auth headers, IP blocking, CORS, security middleware, input validation, file upload limits, ORM usage, and password hashing. Triggers on requests like "review security", "harden this app", "security audit", "check for vulnerabilities", or when building/reviewing API endpoints.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "web-security-hardening" with this command: npx skills add dtsong/my-claude-setup/dtsong-my-claude-setup-web-security-hardening

Web Security Hardening

Security audit checklist for web applications. Run through each item when reviewing or building web apps.

Audit Workflow

  1. Identify the framework (Node.js/Express, Python/Django/Flask, etc.)
  2. Review each checklist item below
  3. For implementation details, see framework-specific references:
  4. For production deployments, see references/production-gcp.md for extended checklist covering:
    • GCP infrastructure (IAM, networking, secrets)
    • CI/CD pipeline security
    • Monitoring & incident response
  5. Report findings with severity and remediation steps

Security Checklist

1. Rate Limiting

Risk: DoS attacks, brute force attempts, API abuse

Check for:

  • Per-endpoint rate limits (stricter on auth endpoints)
  • Rate limit headers in responses (X-RateLimit-*)
  • Appropriate limits for different user tiers

2. Security & Authorization Headers

Risk: XSS, clickjacking, MIME sniffing, info leakage

Required headers:

  • Strict-Transport-Security (HSTS)
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY or SAMEORIGIN
  • Content-Security-Policy
  • Authorization header validation on protected routes

3. IP Block List (Public APIs)

Risk: Abuse from known bad actors, bot traffic

Check for:

  • IP-based blocking mechanism
  • Integration with threat intelligence feeds (optional)
  • Logging of blocked requests

4. CORS Configuration

Risk: Unauthorized cross-origin requests, data theft

Check for:

  • Explicit origin whitelist (not * in production)
  • Appropriate methods and headers allowed
  • Credentials handling if needed

5. Security Middleware

Risk: Common web vulnerabilities

Check for framework-appropriate middleware:

  • Node.js: helmet
  • Python: django-secure, flask-talisman
  • Sets multiple security headers automatically

6. Input Validation

Risk: Injection attacks, data corruption, XSS

Check for:

  • Frontend validation (UX, not security)
  • Backend validation (required for security)
  • Schema validation libraries (Zod, Joi, Pydantic, etc.)
  • Sanitization of user input before storage/display

7. File Upload Limits

Risk: Storage exhaustion, malicious file uploads

Check for:

  • Max file size limits
  • Allowed file type restrictions (MIME + extension)
  • File content validation (magic bytes)
  • Secure storage location (outside webroot)

8. ORM for Database Access

Risk: SQL injection

Check for:

  • Parameterized queries (never string concatenation)
  • ORM usage (Prisma, Sequelize, SQLAlchemy, Django ORM)
  • If raw SQL needed: prepared statements only

9. Password Hashing

Risk: Credential theft, rainbow table attacks

Check for:

  • Strong algorithm: bcrypt, Argon2, or scrypt
  • Appropriate cost factor (bcrypt rounds ≥10)
  • No MD5, SHA1, or plain SHA256 for passwords
  • No plaintext password storage or logging

Gotchas

  • CORS credentials: true + origin: '*' fails silently in browsers — must specify explicit origin when using credentials
  • helmet() defaults changed between v4 and v5 — CSP is no longer set by default in v5, must configure explicitly
  • CSP unsafe-inline negates most XSS protection — if you need inline scripts, use nonces or hashes instead
  • express.json() without limit accepts arbitrarily large payloads — always set limit: '1mb' or similar
  • httpOnly cookies prevent XSS token theft but NOT CSRF — still need CSRF tokens or SameSite=Strict
  • Rate limiting per IP fails behind reverse proxies — must set trust proxy and use X-Forwarded-For
  • bcrypt silently truncates passwords at 72 bytes — use Argon2 for long passphrases or pre-hash with SHA-256
// WRONG: credentials with wildcard origin (silently fails)
app.use(cors({ origin: '*', credentials: true }));
// RIGHT: explicit origin
app.use(cors({ origin: 'https://app.example.com', credentials: true }));

// WRONG: helmet v5 without CSP (no longer set by default)
app.use(helmet());
// RIGHT: explicit CSP
app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"] } } }));

Audit Report Format

## Security Audit: [App Name]

### Summary
- **Items Passing**: X/9
- **Critical Issues**: X
- **Recommendations**: X

### Findings

#### [Item Name] - [PASS/FAIL/PARTIAL]
**Severity**: Critical/High/Medium/Low
**Finding**: [Description]
**Location**: [File/endpoint]
**Remediation**: [Steps to fix]

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

soc-security-skills

No summary provided by upstream source.

Repository SourceNeeds Review
3-dtsong
General

web-design-guidelines

No summary provided by upstream source.

Repository SourceNeeds Review
6-dtsong
Security

audit-plan

No summary provided by upstream source.

Repository SourceNeeds Review
19-darraghh1
Security

cache-audit

No summary provided by upstream source.

Repository SourceNeeds Review
13-darraghh1