代码安全审查清单：密钥管理、SQL注入防护、身份验证最佳实践

security-review by affaan-m/everything-claude-code

3,200 周安装量

102,100 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/affaan-m/everything-claude-code --skill security-review

开发安全

🇨🇳中文介绍

安全审查技能

此技能确保所有代码遵循安全最佳实践，并识别潜在漏洞。

何时激活

实施身份验证或授权时
处理用户输入或文件上传时
创建新的 API 端点时
处理密钥或凭据时
实现支付功能时
存储或传输敏感数据时
集成第三方 API 时

安全检查清单

1. 密钥管理

❌ 绝对不要这样做

const apiKey = "sk-proj-xxxxx"  // 硬编码的密钥
const dbPassword = "password123" // 在源代码中

✅ 始终这样做

const apiKey = process.env.OPENAI_API_KEY
const dbUrl = process.env.DATABASE_URL

// 验证密钥是否存在
if (!apiKey) {
  throw new Error('OPENAI_API_KEY not configured')
}

验证步骤

没有硬编码的 API 密钥、令牌或密码
所有密钥都存储在环境变量中
.env.local 已添加到 .gitignore
git 历史记录中没有密钥
生产环境密钥存储在托管平台中（Vercel, Railway）

2. 输入验证

始终验证用户输入

import { z } from 'zod'

// 定义验证模式
const CreateUserSchema = z.object({
  email: z.string().email(),
  name: z.string().min(1).max(100),
  age: z.number().int().min(0).max(150)
})

// 在处理前进行验证
export async function createUser(input: unknown) {
  try {
    const validated = CreateUserSchema.parse(input)
    return await db.users.create(validated)
  } catch (error) {
    if (error instanceof z.ZodError) {
      return { success: false, errors: error.errors }
    }
    throw error
  }
}

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

4. 身份验证与授权

// ❌ 错误：localStorage（易受 XSS 攻击）
localStorage.setItem('token', token)

// ✅ 正确：httpOnly cookies
res.setHeader('Set-Cookie',
  `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)

export async function deleteUser(userId: string, requesterId: string) {
  // 始终先验证授权
  const requester = await db.users.findUnique({
    where: { id: requesterId }
  })

  if (requester.role !== 'admin') {
    return NextResponse.json(
      { error: 'Unauthorized' },
      { status: 403 }
    )
  }

  // 继续执行删除操作
  await db.users.delete({ where: { id: userId } })
}

行级安全性（Supabase）

-- 在所有表上启用 RLS
ALTER TABLE users ENABLE ROW LEVEL SECURITY;

-- 用户只能查看自己的数据
CREATE POLICY "Users view own data"
  ON users FOR SELECT
  USING (auth.uid() = id);

-- 用户只能更新自己的数据
CREATE POLICY "Users update own data"
  ON users FOR UPDATE
  USING (auth.uid() = id);

令牌存储在 httpOnly cookies 中（而非 localStorage）
在执行敏感操作前进行授权检查
在 Supabase 中启用了行级安全性
实现了基于角色的访问控制
会话管理安全

import DOMPurify from 'isomorphic-dompurify'

// 始终清理用户提供的 HTML
function renderUserContent(html: string) {
  const clean = DOMPurify.sanitize(html, {
    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
    ALLOWED_ATTR: []
  })
  return <div dangerouslySetInnerHTML={{ __html: clean }} />
}

// next.config.js
const securityHeaders = [
  {
    key: 'Content-Security-Policy',
    value: `
      default-src 'self';
      script-src 'self' 'unsafe-eval' 'unsafe-inline';
      style-src 'self' 'unsafe-inline';
      img-src 'self' data: https:;
      font-src 'self';
      connect-src 'self' https://api.example.com;
    `.replace(/\s{2,}/g, ' ').trim()
  }
]

用户提供的 HTML 已清理
已配置 CSP 头部
没有未经验证的动态内容渲染
使用了 React 内置的 XSS 防护

import { csrf } from '@/lib/csrf'

export async function POST(request: Request) {
  const token = request.headers.get('X-CSRF-Token')

  if (!csrf.verify(token)) {
    return NextResponse.json(
      { error: 'Invalid CSRF token' },
      { status: 403 }
    )
  }

  // 处理请求
}

res.setHeader('Set-Cookie',
  `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)

在状态更改操作上使用 CSRF 令牌
所有 cookie 都设置 SameSite=Strict
实现了双重提交 cookie 模式

import rateLimit from 'express-rate-limit'

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 分钟
  max: 100, // 每个窗口 100 个请求
  message: 'Too many requests'
})

// 应用到路由
app.use('/api/', limiter)

// 对搜索实施严格的速率限制
const searchLimiter = rateLimit({
  windowMs: 60 * 1000, // 1 分钟
  max: 10, // 每分钟 10 个请求
  message: 'Too many search requests'
})

app.use('/api/search', searchLimiter)

所有 API 端点都实施了速率限制
对昂贵操作实施更严格的限制
基于 IP 的速率限制
基于用户的速率限制（已认证）

8. 敏感数据暴露

// ❌ 错误：记录敏感数据
console.log('User login:', { email, password })
console.log('Payment:', { cardNumber, cvv })

// ✅ 正确：隐藏敏感数据
console.log('User login:', { email, userId })
console.log('Payment:', { last4: card.last4, userId })

// ❌ 错误：暴露内部细节
catch (error) {
  return NextResponse.json(
    { error: error.message, stack: error.stack },
    { status: 500 }
  )
}

// ✅ 正确：通用错误消息
catch (error) {
  console.error('Internal error:', error)
  return NextResponse.json(
    { error: 'An error occurred. Please try again.' },
    { status: 500 }
  )
}

日志中没有密码、令牌或密钥
面向用户的错误消息是通用的
详细错误仅记录在服务器日志中
不向用户暴露堆栈跟踪

9. 区块链安全（Solana）

import { verify } from '@solana/web3.js'

async function verifyWalletOwnership(
  publicKey: string,
  signature: string,
  message: string
) {
  try {
    const isValid = verify(
      Buffer.from(message),
      Buffer.from(signature, 'base64'),
      Buffer.from(publicKey, 'base64')
    )
    return isValid
  } catch (error) {
    return false
  }
}

async function verifyTransaction(transaction: Transaction) {
  // 验证接收方
  if (transaction.to !== expectedRecipient) {
    throw new Error('Invalid recipient')
  }

  // 验证金额
  if (transaction.amount > maxAmount) {
    throw new Error('Amount exceeds limit')
  }

  // 验证用户有足够的余额
  const balance = await getBalance(transaction.from)
  if (balance < transaction.amount) {
    throw new Error('Insufficient balance')
  }

  return true
}

已验证钱包签名
已验证交易详情
交易前进行余额检查
没有盲目的交易签名

# 检查漏洞
npm audit

# 自动修复可修复的问题
npm audit fix

# 更新依赖项
npm update

# 检查过时的包
npm outdated

# 始终提交锁定文件
git add package-lock.json

# 在 CI/CD 中使用以实现可重现的构建
npm ci  # 而不是 npm install

依赖项是最新的
没有已知漏洞（npm audit 结果干净）
已提交锁定文件
在 GitHub 上启用了 Dependabot
定期进行安全更新

自动化安全测试

// 测试身份验证
test('requires authentication', async () => {
  const response = await fetch('/api/protected')
  expect(response.status).toBe(401)
})

// 测试授权
test('requires admin role', async () => {
  const response = await fetch('/api/admin', {
    headers: { Authorization: `Bearer ${userToken}` }
  })
  expect(response.status).toBe(403)
})

// 测试输入验证
test('rejects invalid input', async () => {
  const response = await fetch('/api/users', {
    method: 'POST',
    body: JSON.stringify({ email: 'not-an-email' })
  })
  expect(response.status).toBe(400)
})

// 测试速率限制
test('enforces rate limits', async () => {
  const requests = Array(101).fill(null).map(() =>
    fetch('/api/endpoint')
  )

  const responses = await Promise.all(requests)
  const tooManyRequests = responses.filter(r => r.status === 429)

  expect(tooManyRequests.length).toBeGreaterThan(0)
})

部署前安全检查清单

在任何生产部署之前：

密钥：没有硬编码的密钥，全部在环境变量中
输入验证：所有用户输入都已验证
SQL 注入：所有查询都已参数化
XSS：用户内容已清理
CSRF：防护已启用
身份验证：正确的令牌处理
授权：角色检查已就位
速率限制：所有端点都已启用
HTTPS：在生产环境中强制执行
安全头部：CSP、X-Frame-Options 已配置
错误处理：错误中没有敏感数据
日志记录：没有记录敏感数据
依赖项：已更新，没有漏洞
行级安全性：在 Supabase 中已启用
CORS：已正确配置
文件上传：已验证（大小、类型）
钱包签名：已验证（如果涉及区块链）

请记住：安全不是可选的。一个漏洞就可能危及整个平台。如有疑问，请谨慎行事。

🇺🇸English

Security Review Skill

This skill ensures all code follows security best practices and identifies potential vulnerabilities.

When to Activate

Implementing authentication or authorization
Handling user input or file uploads
Creating new API endpoints
Working with secrets or credentials
Implementing payment features
Storing or transmitting sensitive data
Integrating third-party APIs

Security Checklist

1. Secrets Management

❌ NEVER Do This

const apiKey = "sk-proj-xxxxx"  // Hardcoded secret
const dbPassword = "password123" // In source code

✅ ALWAYS Do This

const apiKey = process.env.OPENAI_API_KEY
const dbUrl = process.env.DATABASE_URL

// Verify secrets exist
if (!apiKey) {
  throw new Error('OPENAI_API_KEY not configured')
}

Verification Steps

No hardcoded API keys, tokens, or passwords
All secrets in environment variables
.env.local in .gitignore
No secrets in git history
Production secrets in hosting platform (Vercel, Railway)

2. Input Validation

Always Validate User Input

import { z } from 'zod'

// Define validation schema
const CreateUserSchema = z.object({
  email: z.string().email(),
  name: z.string().min(1).max(100),
  age: z.number().int().min(0).max(150)
})

// Validate before processing
export async function createUser(input: unknown) {
  try {
    const validated = CreateUserSchema.parse(input)
    return await db.users.create(validated)
  } catch (error) {
    if (error instanceof z.ZodError) {
      return { success: false, errors: error.errors }
    }
    throw error
  }
}

File Upload Validation

function validateFileUpload(file: File) {
  // Size check (5MB max)
  const maxSize = 5 * 1024 * 1024
  if (file.size > maxSize) {
    throw new Error('File too large (max 5MB)')
  }

  // Type check
  const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']
  if (!allowedTypes.includes(file.type)) {
    throw new Error('Invalid file type')
  }

  // Extension check
  const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']
  const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0]
  if (!extension || !allowedExtensions.includes(extension)) {
    throw new Error('Invalid file extension')
  }

  return true
}

Verification Steps

All user inputs validated with schemas
File uploads restricted (size, type, extension)
No direct use of user input in queries
Whitelist validation (not blacklist)
Error messages don't leak sensitive info

3. SQL Injection Prevention

❌ NEVER Concatenate SQL

// DANGEROUS - SQL Injection vulnerability
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
await db.query(query)

✅ ALWAYS Use Parameterized Queries

// Safe - parameterized query
const { data } = await supabase
  .from('users')
  .select('*')
  .eq('email', userEmail)

// Or with raw SQL
await db.query(
  'SELECT * FROM users WHERE email = $1',
  [userEmail]
)

Verification Steps

All database queries use parameterized queries
No string concatenation in SQL
ORM/query builder used correctly
Supabase queries properly sanitized

4. Authentication & Authorization

JWT Token Handling

// ❌ WRONG: localStorage (vulnerable to XSS)
localStorage.setItem('token', token)

// ✅ CORRECT: httpOnly cookies
res.setHeader('Set-Cookie',
  `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)

Authorization Checks

export async function deleteUser(userId: string, requesterId: string) {
  // ALWAYS verify authorization first
  const requester = await db.users.findUnique({
    where: { id: requesterId }
  })

  if (requester.role !== 'admin') {
    return NextResponse.json(
      { error: 'Unauthorized' },
      { status: 403 }
    )
  }

  // Proceed with deletion
  await db.users.delete({ where: { id: userId } })
}

Row Level Security (Supabase)

-- Enable RLS on all tables
ALTER TABLE users ENABLE ROW LEVEL SECURITY;

-- Users can only view their own data
CREATE POLICY "Users view own data"
  ON users FOR SELECT
  USING (auth.uid() = id);

-- Users can only update their own data
CREATE POLICY "Users update own data"
  ON users FOR UPDATE
  USING (auth.uid() = id);

Verification Steps

Tokens stored in httpOnly cookies (not localStorage)
Authorization checks before sensitive operations
Row Level Security enabled in Supabase
Role-based access control implemented
Session management secure

5. XSS Prevention

Sanitize HTML

import DOMPurify from 'isomorphic-dompurify'

// ALWAYS sanitize user-provided HTML
function renderUserContent(html: string) {
  const clean = DOMPurify.sanitize(html, {
    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
    ALLOWED_ATTR: []
  })
  return <div dangerouslySetInnerHTML={{ __html: clean }} />
}

Content Security Policy

// next.config.js
const securityHeaders = [
  {
    key: 'Content-Security-Policy',
    value: `
      default-src 'self';
      script-src 'self' 'unsafe-eval' 'unsafe-inline';
      style-src 'self' 'unsafe-inline';
      img-src 'self' data: https:;
      font-src 'self';
      connect-src 'self' https://api.example.com;
    `.replace(/\s{2,}/g, ' ').trim()
  }
]

Verification Steps

User-provided HTML sanitized
CSP headers configured
No unvalidated dynamic content rendering
React's built-in XSS protection used

6. CSRF Protection

CSRF Tokens

import { csrf } from '@/lib/csrf'

export async function POST(request: Request) {
  const token = request.headers.get('X-CSRF-Token')

  if (!csrf.verify(token)) {
    return NextResponse.json(
      { error: 'Invalid CSRF token' },
      { status: 403 }
    )
  }

  // Process request
}

SameSite Cookies

res.setHeader('Set-Cookie',
  `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)

Verification Steps

CSRF tokens on state-changing operations
SameSite=Strict on all cookies
Double-submit cookie pattern implemented

7. Rate Limiting

API Rate Limiting

import rateLimit from 'express-rate-limit'

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // 100 requests per window
  message: 'Too many requests'
})

// Apply to routes
app.use('/api/', limiter)

Expensive Operations

// Aggressive rate limiting for searches
const searchLimiter = rateLimit({
  windowMs: 60 * 1000, // 1 minute
  max: 10, // 10 requests per minute
  message: 'Too many search requests'
})

app.use('/api/search', searchLimiter)

Verification Steps

Rate limiting on all API endpoints
Stricter limits on expensive operations
IP-based rate limiting
User-based rate limiting (authenticated)

8. Sensitive Data Exposure

Logging

// ❌ WRONG: Logging sensitive data
console.log('User login:', { email, password })
console.log('Payment:', { cardNumber, cvv })

// ✅ CORRECT: Redact sensitive data
console.log('User login:', { email, userId })
console.log('Payment:', { last4: card.last4, userId })

Error Messages

// ❌ WRONG: Exposing internal details
catch (error) {
  return NextResponse.json(
    { error: error.message, stack: error.stack },
    { status: 500 }
  )
}

// ✅ CORRECT: Generic error messages
catch (error) {
  console.error('Internal error:', error)
  return NextResponse.json(
    { error: 'An error occurred. Please try again.' },
    { status: 500 }
  )
}

Verification Steps

No passwords, tokens, or secrets in logs
Error messages generic for users
Detailed errors only in server logs
No stack traces exposed to users

9. Blockchain Security (Solana)

Wallet Verification

import { verify } from '@solana/web3.js'

async function verifyWalletOwnership(
  publicKey: string,
  signature: string,
  message: string
) {
  try {
    const isValid = verify(
      Buffer.from(message),
      Buffer.from(signature, 'base64'),
      Buffer.from(publicKey, 'base64')
    )
    return isValid
  } catch (error) {
    return false
  }
}

Transaction Verification

async function verifyTransaction(transaction: Transaction) {
  // Verify recipient
  if (transaction.to !== expectedRecipient) {
    throw new Error('Invalid recipient')
  }

  // Verify amount
  if (transaction.amount > maxAmount) {
    throw new Error('Amount exceeds limit')
  }

  // Verify user has sufficient balance
  const balance = await getBalance(transaction.from)
  if (balance < transaction.amount) {
    throw new Error('Insufficient balance')
  }

  return true
}

Verification Steps

Wallet signatures verified
Transaction details validated
Balance checks before transactions
No blind transaction signing

10. Dependency Security

Regular Updates

# Check for vulnerabilities
npm audit

# Fix automatically fixable issues
npm audit fix

# Update dependencies
npm update

# Check for outdated packages
npm outdated

Lock Files

# ALWAYS commit lock files
git add package-lock.json

# Use in CI/CD for reproducible builds
npm ci  # Instead of npm install

Verification Steps

Dependencies up to date
No known vulnerabilities (npm audit clean)
Lock files committed
Dependabot enabled on GitHub
Regular security updates

Security Testing

Automated Security Tests

// Test authentication
test('requires authentication', async () => {
  const response = await fetch('/api/protected')
  expect(response.status).toBe(401)
})

// Test authorization
test('requires admin role', async () => {
  const response = await fetch('/api/admin', {
    headers: { Authorization: `Bearer ${userToken}` }
  })
  expect(response.status).toBe(403)
})

// Test input validation
test('rejects invalid input', async () => {
  const response = await fetch('/api/users', {
    method: 'POST',
    body: JSON.stringify({ email: 'not-an-email' })
  })
  expect(response.status).toBe(400)
})

// Test rate limiting
test('enforces rate limits', async () => {
  const requests = Array(101).fill(null).map(() =>
    fetch('/api/endpoint')
  )

  const responses = await Promise.all(requests)
  const tooManyRequests = responses.filter(r => r.status === 429)

  expect(tooManyRequests.length).toBeGreaterThan(0)
})

Pre-Deployment Security Checklist

Before ANY production deployment:

Secrets : No hardcoded secrets, all in env vars
Input Validation : All user inputs validated
SQL Injection : All queries parameterized
XSS : User content sanitized
CSRF : Protection enabled
Authentication : Proper token handling
Authorization : Role checks in place
Rate Limiting : Enabled on all endpoints
HTTPS : Enforced in production
Security Headers : CSP, X-Frame-Options configured
Error Handling : No sensitive data in errors
Logging : No sensitive data logged
Dependencies : Up to date, no vulnerabilities
Row Level Security : Enabled in Supabase
CORS : Properly configured
File Uploads : Validated (size, type)
Wallet Signatures : Verified (if blockchain)

Resources

Remember : Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.

Weekly Installs

1.9K

Repository

affaan-m/everyt…ude-code

GitHub Stars

69.1K

First Seen

Jan 20, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

opencode1.6K

codex1.5K

gemini-cli1.5K

github-copilot1.4K

claude-code1.4K

cursor1.3K

代码安全审查清单：密钥管理、SQL注入防护、身份验证最佳实践

🇨🇳中文介绍

安全审查技能

何时激活

安全检查清单

1. 密钥管理

❌ 绝对不要这样做

✅ 始终这样做

验证步骤

2. 输入验证

始终验证用户输入

相关 Skills

文件上传验证

验证步骤

3. SQL 注入防护

❌ 不要拼接 SQL

✅ 始终使用参数化查询

验证步骤

4. 身份验证与授权

JWT 令牌处理

授权检查

行级安全性（Supabase）

验证步骤

5. XSS 防护

清理 HTML

内容安全策略

验证步骤

6. CSRF 防护

CSRF 令牌

SameSite Cookies

验证步骤

7. 速率限制

API 速率限制

昂贵操作

验证步骤

8. 敏感数据暴露

日志记录

错误消息

验证步骤

9. 区块链安全（Solana）

钱包验证

交易验证

验证步骤

10. 依赖项安全

定期更新

锁定文件

验证步骤

安全测试

自动化安全测试

部署前安全检查清单

资源

🇺🇸English

Security Review Skill

When to Activate

Security Checklist

1. Secrets Management

❌ NEVER Do This

✅ ALWAYS Do This

Verification Steps

2. Input Validation

Always Validate User Input

File Upload Validation

Verification Steps

3. SQL Injection Prevention

❌ NEVER Concatenate SQL

✅ ALWAYS Use Parameterized Queries

Verification Steps

4. Authentication & Authorization

JWT Token Handling

Authorization Checks

Row Level Security (Supabase)

Verification Steps

5. XSS Prevention

Sanitize HTML

Content Security Policy

Verification Steps

6. CSRF Protection

CSRF Tokens

SameSite Cookies

Verification Steps