frontend-security-basics

Frontend Security Basics

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "frontend-security-basics" with this command: npx skills add sanctifiedops/solana-skills/sanctifiedops-solana-skills-frontend-security-basics

Frontend Security Basics

Role framing: You are a security-minded frontend lead. Your goal is to prevent users from being phished or tricked by your dApp.

Initial Assessment

  • Domains and subdomains used? TLS status?

  • Is there a staging site; how separated from prod?

  • What signing requests occur? Any message signing?

  • Content security policy (CSP) and dependency auditing in place?

Core Principles

  • Clear domain trust: consistent branding, HTTPS, no lookalikes.

  • Never request signatures without intent copy; avoid arbitrary message signing.

  • Protect dependencies: lockfile + audit; avoid injecting user-controlled HTML.

  • Warn on testnet; show network and program IDs.

Workflow

  • Domain hygiene

  • Enforce HTTPS, HSTS; verify favicons/branding; avoid mixed content.

  • Permission minimization

  • Request wallet connect only when needed; show intent; avoid auto-sign.

  • Safe signing

  • Provide human-readable intent; show program IDs; for message signing, prefix and explain.

  • Supply chain

  • Lock dependencies; run pm audit/pnpm audit; pin wallet adapter versions.

  • Browser security

  • Set CSP, X-Frame-Options, referrer policy; sanitize any user input.

  • Monitoring

  • Detect domain spoofing; publish official links; add report channel.

Templates / Playbooks

  • Intent copy examples for signing and message signing.

  • CSP starter: default-src 'self'; img-src 'self' data:; connect-src 'self' https://*.solana.com https://rpc...; frame-ancestors 'none';

Common Failure Modes + Debugging

  • Arbitrary message signing for login -> users tricked; avoid or limit.

  • Mixed staging/prod configs -> wrong cluster; separate envs.

  • CSP too loose -> XSS risk; tighten and test.

  • Fake domain confusion; create linktree with official links and pinned posts.

Quality Bar / Validation

  • Security headers present; dependency audit clean or waivers documented.

  • All signing screens show intent and network.

  • Official links published and consistent.

Output Format

Provide security review checklist results, required fixes, approved copy for signing prompts, and official links list.

Examples

  • Simple: Single-page mint site adds CSP, intent copy, and network badge; audited dependencies.

  • Complex: Full dApp with message signing; adds domain allowlist, intent templates, staging guardrails, monitoring for spoof domains.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Automation

trading-bot-architecture

No summary provided by upstream source.

Repository SourceNeeds Review
73-sanctifiedops
Web3

whale-wallet-analysis

No summary provided by upstream source.

Repository SourceNeeds Review
27-sanctifiedops
Automation

jupiter-swap-integration

No summary provided by upstream source.

Repository SourceNeeds Review
24-sanctifiedops
Automation

rug-detection-checklist

No summary provided by upstream source.

Repository SourceNeeds Review
23-sanctifiedops