安全最佳实践指南：识别语言框架漏洞，编写安全代码与生成修复报告

security-best-practices by openai/skills

779 周安装量

15,300 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/openai/skills --skill security-best-practices

开发自动化安全

🇨🇳中文介绍

安全最佳实践

概述

本技能描述了如何识别当前上下文所使用的语言和框架，然后从本技能的参考资料目录中加载关于该语言和/或框架的安全最佳实践信息。

如果存在此信息，可用于编写默认安全的新代码，或被动检测现有代码中的主要问题，或（如果用户要求）提供漏洞报告并建议修复方案。

工作流程

本技能的第一步是识别您被要求使用的或您正在处理的项目范围内已存在的所有语言和所有框架。重点关注核心的主要框架。通常您需要同时识别前端和后端的语言和框架。

然后检查本技能的参考资料目录，查看是否有该语言和/或框架的相关文档。请确保阅读与该特定框架或语言相关的所有参考文件。文件名的格式为 <language>-<framework>-<stack>-security.md。您还应检查是否存在 <language>-general-<stack>-security.md 文件，该文件不依赖于您可能使用的特定框架。

如果正在处理包含前端和后端的 Web 应用程序，请确保您已检查了前端和后端两方面的参考文档！

如果要求您创建一个包含前端和后端的 Web 应用，但未指定前端框架，也请查看 javascript-general-web-frontend-security.md。理解如何确保前端和后端的安全非常重要。

如果技能的参考资料目录中没有相关信息，请思考一下您对该语言、该框架以及所有众所周知的安全最佳实践了解多少。如果不确定，可以尝试在线搜索有关安全最佳实践的文档。

之后，它可以以几种方式运行。

主要模式是仅使用这些信息，从此刻开始编写默认安全的代码。这对于启动新项目或编写新代码非常有用。
次要模式是在项目中工作并为用户编写代码时，被动检测漏洞。可以标记出关键的或非常重要的漏洞，或违反安全指导原则的主要问题，并告知用户。这种被动模式应侧重于影响最大的漏洞和安全默认设置。

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

工作流程决策树

如果语言/框架不明确，请检查代码库以确定它，并列出您的证据。
如果 references/ 目录中存在匹配的指导，仅加载相关文件并遵循其指示。
如果没有匹配的指导，请考虑您是否了解所选语言和/或框架的任何众所周知的安全最佳实践，但如果要求生成报告，请告知用户具体的指导不可用（您仍然可以生成报告或检测确定的严重漏洞）。

虽然这些参考资料包含了语言和框架的安全最佳实践，但客户可能在某些情况下需要绕过或覆盖这些实践。请注意项目文档和提示文件中的特定规则和指示，这些可能要求您覆盖某些最佳实践。当覆盖最佳实践时，您可以向用户报告，但不要与用户争论。如果由于某些项目特定原因需要绕过/忽略某个安全最佳实践，您也可以建议将此记录到项目文档中，以便清楚地说明为何不遵循该最佳实践，并在未来遵循该绕过方案。

生成报告时，您应将报告以 Markdown 文件形式写入 security_best_practices_report.md，或者用户提供的其他位置。您可以询问用户希望将报告写入何处。

报告顶部应有一个简短的执行摘要。

报告应根据漏洞的严重性清晰地划分为多个部分。报告应侧重于最关键的问题，因为这些对用户的影响最大。所有发现的问题都应标注数字 ID，以便于引用。

对于关键发现，请包含一句影响说明。

报告撰写完成后，也应直接向用户报告，尽管您可以不那么冗长。如果用户想了解更多关于任何发现的信息，您可以主动解释任何发现或安全最佳实践指导背后的原因。

重要提示：在报告中引用代码时，请确保找到并包含您所引用代码的行号。

撰写完报告文件后，向用户总结发现的问题。

同时告知用户最终报告写入的位置。

如果您生成了报告，请让用户阅读报告，并询问是否开始执行修复。

如果您被动地发现了一个关键问题，请通知用户并询问他们是否希望您修复此问题。

进行修复时，请专注于一次修复一个发现的问题。修复应附有简洁清晰的注释，解释新代码是基于特定的安全最佳实践，或许还可以简要说明不这样做可能带来的危险。

始终考虑您想要进行的更改是否会影响用户代码的功能。考虑更改是否可能导致项目当前工作方式的回归。通常，不安全的代码由于其他原因而被依赖（这也是不安全的代码能存在很长时间的原因）。避免破坏用户的项目，因为这可能使他们将来不愿意应用安全修复。最好是经过深思熟虑、充分了解项目其余部分后，再进行修复，而不是匆忙地进行草率的更改。

始终遵循用户配置的任何正常变更或提交流程。如果进行 git 提交，请提供清晰的提交信息，说明这是为了符合安全最佳实践。尽量避免将多个不相关的问题合并到一次提交中。

始终遵循用户配置的任何正常测试流程（如果有），以确认您的更改不会引入回归问题。考虑更改可能产生的二阶影响，并在进行更改前告知用户（如果有的话）。

以下是一些适用于几乎所有语言或框架的安全编码建议。

避免对资源的公开 ID 使用递增 ID

在为某些资源分配 ID 时，如果该 ID 将暴露在互联网上使用，请避免使用小的自增 ID。应使用更长的、随机的 UUID4 或随机十六进制字符串。这将防止用户了解资源的数量并能够猜测资源 ID。

关于 TLS 的说明

虽然 TLS 对于生产部署很重要，但大多数开发工作将在 TLS 禁用或由某些超出范围的 TLS 代理提供的情况下进行。因此，请务必小心，不要将缺少 TLS 报告为安全问题。同时，在使用 "secure" cookie 时要非常小心。只有在应用程序确实通过 TLS 运行时才应设置它们。如果在非 TLS 应用程序上设置（例如在本地开发或测试部署时），将会破坏应用程序。您可以提供一个环境变量或其他标志来覆盖安全设置，以便在 TLS 生产部署之前保持其关闭状态。此外，避免推荐 HSTS。在不完全理解其持久影响（可能导致重大中断和用户锁定）的情况下使用它是危险的，并且通常不建议在 codex 审查的项目范围内使用。

🇺🇸English

Security Best Practices

Overview

This skill provides a description of how to identify the language and frameworks used by the current context, and then to load information from this skill's references directory about the security best practices for this language and or frameworks.

This information, if present, can be used to write new secure by default code, or to passively detect major issues within existing code, or (if requested by the user) provide a vulnerability report and suggest fixes.

Workflow

The initial step for this skill is to identify ALL languages and ALL frameworks which you are being asked to use or already exist in the scope of the project you are working in. Focus on the primary core frameworks. Often you will want to identify both frontend and backend languages and frameworks.

Then check this skill's references directory to see if there are any relevant documentation for the language and or frameworks. Make sure you read ALL reference files which relate to the specific framework or language. The format of the filenames is <language>-<framework>-<stack>-security.md. You should also check if there is a <language>-general-<stack>-security.md which is agnostic to the framework you may be using.

If working on a web application which includes a frontend and a backend, make sure you have checked for reference documents for BOTH the frontend and backend!

If you are asked to make a web app which will include both a frontend and backend, but the frontend framework is not specified, also check out javascript-general-web-frontend-security.md. It is important that you understand how to secure both the frontend and backend.

If no relevant information is available in the skill's references directory, think a little bit about what you know about the language, the framework, and all well known security best practices for it. If you are unsure you can try to search online for documentation on security best practices.

From there it can operate in a few ways.

The primary mode is to just use the information to write secure by default code from this point forward. This is useful for starting a new project or when writing new code.
The secondary mode is to passively detect vulnerabilities while working in the project and writing code for the user. Critical or very important vulnerabilities or major issues going against security guidance can be flagged and the user can be told about them. This passive mode should focus on the largest impact vulnerabilities and secure defaults.
The user can ask for a security report or to improve the security of the codebase. In this case a full report should be produced describe anyways the project fails to follow security best practices guidance. The report should be prioritized and have clear sections of severity and urgency. Then offer to start working on fixes for these issues. See #fixes below.

Workflow Decision Tree

If the language/framework is unclear, inspect the repo to determine it and list your evidence.
If matching guidance exists in references/, load only the relevant files and follow their instructions.
If no matching guidance exists, consider if you know any well known security best practices for the chosen language and or frameworks, but if asked to generate a report, let the user know that concrete guidance is not available (you can still generate the report or detect for sure critical vulnerabilities)

Overrides

While these references contain the security best practices for languages and frameworks, customers may have cases where they need to bypass or override these practices. Pay attention to specific rules and instructions in the project's documentation and prompt files which may require you to override certain best practices. When overriding a best practice, you MAY report it to the user, but do not fight with them. If a security best practice needs to be bypassed / ignored for some project specific reason, you can also suggest to add documentation about this to the project so it is clear why the best practice is not being followed and to follow that bypass in the future.

Report Format

When producing a report, you should write the report as a markdown file in security_best_practices_report.md or some other location if provided by the user. You can ask the user where they would like the report to be written to.

The report should have a short executive summary at the top.

The report should be clearly delineated into multiple sections based on severity of the vulnerability. The report should focus on the most critical findings as these have the highest impact for the user. All findings should be noted with an numeric ID to make them easier to reference.

For critical findings include a one sentence impact statement.

Once the report is written, also report it to the user directly, although you may be less verbose. You can offer to explain any of the findings or the reasons behind the security best practices guidance if the user wants more info on any findings.

Important: When referencing code in the report, make sure to find and include line numbers for the code you are referencing.

After you write the report file, summarize the findings to the user.

Also tell the user where the final report was written to

Fixes

If you produced a report, let the user read the report and ask to begin performing fixes.

If you passively found a critical finding, notify the user and ask if they would like you to fix this finding.

When producing fixes, focus on fixing a single finding at a time. The fixes should have concise clear comments explaining that the new code is based on the specific security best practice, and perhaps a very short reason why it would be dangerous to not do it in this way.

Always consider if the changes you want to make will impact the functionality of the user's code. Consider if the changes may cause regressions with how the project works currently. It is often the case that insecure code is relied on for other reasons (and this is why insecure code lives on for so long). Avoid breaking the user's project as this may make them not want to apply security fixes in the future. It is better to write a well thought out, well informed by the rest of the project, fix, then a quick slapdash change.

Always follow any normal change or commit flow the user has configured. If making git commits, provide clear commit messages explaining this is to align with security best practices. Try to avoid bunching a number of unrelated findings into a single commit.

Always follow any normal testing flows the user has configured (if any) to confirm that your changes are not introducing regressions. Consider the second order impacts the changes may have and inform the user before making them if there are any.

General Security Advice

Below is a few bits of secure coding advice that applies to almost any language or framework.

Avoid Using Incrementing IDs for Public IDs of Resources

When assigning an ID for some resource, which will then be used by exposed to the internet, avoid using small auto-incrementing IDs. Use longer, random UUID4 or random hex string instead. This will prevent users from learning the quantity of a resource and being able to guess resource IDs.

A note on TLS

While TLS is important for production deployments, most development work will be with TLS disabled or provided by some out-of-scope TLS proxy. Due to this, be very careful about not reporting lack of TLS as a security issue. Also be very careful around use of "secure" cookies. They should only be set if the application will actually be over TLS. If they are set on non-TLS applications (such as when deployed for local dev or testing), it will break the application. You can provide a env or other flag to override setting secure as a way to keep it off until on a TLS production deployment. Additionally avoid recommending HSTS. It is dangerous to use without full understanding of the lasting impacts (can cause major outages and user lockout) and it is not generally recommended for the scope of projects being reviewed by codex.

Weekly Installs

779

Repository

openai/skills

GitHub Stars

15.3K

First Seen

Feb 2, 2026

Security Audits

Gen Agent Trust HubFail SocketPass SnykPass

Installed on

codex675

opencode643

github-copilot629

gemini-cli624

cursor598

kimi-cli581

agent-browser 浏览器自动化工具 - Vercel Labs 命令行网页操作与测试

136,300 周安装