Security Audit Skill

Use this skill to inspect code for common vulnerability patterns in the context of this specific project stack.

When to use this skill

• When the user asks to "check for vulnerabilities" or "audit security".

• Before deploying critical features involving user input or file handling.

• When reviewing Blade templates or Controllers.

Audit Checklist

1. Cross-Site Scripting (XSS) in Blade

Pattern to Search: !! (unescaped output)

• Rule: {{ }} is safe. {!! !!} is dangerous.

• Action: Use grep_search for {!! .

• Validation: Ensure variables inside {!! !!} are explicitly sanitized (e.g., using HtmlString from a trusted source or Purifier ).

• Exception: Intentionally raw HTML from the CMS (must be sanitized on save).

2. Content Security Policy (CSP)

File: app/Http/Middleware/SecurityHeadersMiddleware.php

• Check: Are we allowing unsafe-inline unnecessarily?

• Check: Are external domains (S3, R2, Analytics) whitelisted?

• Action: Verify if img-src , script-src includes necessary domains (e.g., *.r2.cloudflarestorage.com ).

3. IDOR (Insecure Direct Object References)

Context: Controllers/Livewire Components accepting IDs.

• Rule: Never trust an ID from the client without checking ownership/policy.

• Check:

• Does the route use Route Model Binding with scoping? (e.g., ->scopeBindings() )

• Does the controller method call $this->authorize('update', $model) ?

• In Filament: Do Resources use getEloquentQuery() with tenant scopes?

4. Mass Assignment

Context: Models.

• Rule: avoid $guarded = [] unless strictly necessary and controlled.

• Prefer: $fillable with explicit fields.

Execution Steps

• Search: Run grep_search patterns for potential issues.

• Analyze: Read the surrounding code of matches.

• Report: List findings classified by Severity (High/Medium/Low).

• Fix: Propose specific code changes to mitigate.