Web应用安全模式指南：OWASP Top 10防护、输入验证、身份认证与授权最佳实践

security-patterns by 0xdarkmatter/claude-mods

25 周安装量

16 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/0xdarkmatter/claude-mods --skill security-patterns

🇨🇳中文介绍

安全模式

Web 应用程序必备的安全模式。

OWASP Top 10 快速参考

排名	漏洞	防护措施
A01	失效的访问控制	服务端检查权限，默认拒绝
A02	加密机制失效	使用 TLS，哈希密码，加密敏感数据
A03	注入	参数化查询，验证输入
A04	不安全的设计	威胁建模，安全默认配置
A05	安全配置错误	强化配置，禁用未使用的功能
A06	易受攻击和过时的组件	更新依赖项，定期审计
A07	身份认证和授权失败	MFA，速率限制，安全的会话管理
A08	软件和数据完整性故障	验证签名，使用可信来源
A09	安全日志和监控故障	记录安全事件，保护日志

🇺🇸English

Security Patterns

Essential security patterns for web applications.

OWASP Top 10 Quick Reference

Rank	Vulnerability	Prevention
A01	Broken Access Control	Check permissions server-side, deny by default
A02	Cryptographic Failures	Use TLS, hash passwords, encrypt sensitive data
A03	Injection	Parameterized queries, validate input
A04	Insecure Design	Threat modeling, secure defaults
A05	Security Misconfiguration	Harden configs, disable unused features
A06	Vulnerable Components	Update dependencies, audit regularly
A07	Auth Failures	MFA, rate limiting, secure session management
A08

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

上下文	编码方式
HTML 正文	HTML 实体编码
HTML 属性	属性编码 + 引号
JavaScript	JS 编码
URL 参数	URL 编码
CSS	CSS 编码

身份验证检查清单

使用 bcrypt/argon2 哈希密码（成本因子 12+）
在登录处实施速率限制
使用安全的会话令牌（随机、长）
设置安全的 Cookie 标志（HttpOnly, Secure, SameSite）
在多次失败尝试后实施账户锁定
为敏感操作支持 MFA

# WRONG - Check only authentication
@login_required
def delete_post(post_id):
    post = Post.get(post_id)
    post.delete()

# CORRECT - Check authorization
@login_required
def delete_post(post_id):
    post = Post.get(post_id)
    if post.author_id != current_user.id and not current_user.is_admin:
        raise Forbidden("Not authorized to delete this post")
    post.delete()

# WRONG - Hardcoded secrets
API_KEY = "sk-1234567890abcdef"

# CORRECT - Environment variables
API_KEY = os.environ["API_KEY"]

# BETTER - Secrets manager
API_KEY = secrets_client.get_secret("api-key")

DO:
- Use environment variables or secrets manager
- Rotate secrets regularly
- Use different secrets per environment
- Audit secret access

DON'T:
- Commit secrets to git
- Log secrets
- Include secrets in error messages
- Share secrets in plain text

Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=()

# Find hardcoded secrets
rg -i "(password|secret|api_key|token)\s*=\s*['\"][^'\"]+['\"]" --type py

# Find SQL injection risks
rg "execute\(f['\"]|format\(" --type py

# Find eval/exec usage
rg "\b(eval|exec)\s*\(" --type py

# Check for TODO security items
rg -i "TODO.*security|FIXME.*security"

./references/owasp-detailed.md - 完整的 OWASP Top 10 详情
./references/auth-patterns.md - JWT, OAuth, 会话管理
./references/crypto-patterns.md - 加密，哈希，签名
./references/secure-headers.md - HTTP 安全头部指南

./scripts/security-scan.sh - 快速安全 grep 模式
./scripts/dependency-audit.sh - 检查易受攻击的依赖项

# WRONG - Trust user input
def search(query):
    return db.execute(f"SELECT * FROM users WHERE name = '{query}'")

# CORRECT - Parameterized query
def search(query):
    return db.execute("SELECT * FROM users WHERE name = ?", [query])

Always validate:
- Type (string, int, email format)
- Length (min/max bounds)
- Range (numeric bounds)
- Format (regex for patterns)
- Allowlist (known good values)

Never trust:
- URL parameters
- Form data
- HTTP headers
- Cookies
- File uploads

// WRONG - Direct HTML insertion
element.innerHTML = userInput;

// CORRECT - Text content (auto-escapes)
element.textContent = userInput;

// CORRECT - Template with escaping
render(`<div>${escapeHtml(userInput)}</div>`);

Context	Encoding
HTML body	HTML entity encode
HTML attribute	Attribute encode + quote
JavaScript	JS encode
URL parameter	URL encode
CSS	CSS encode

# Password hashing (use bcrypt, argon2, or scrypt)
import bcrypt

def hash_password(password: str) -> bytes:
    return bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))

def verify_password(password: str, hashed: bytes) -> bool:
    return bcrypt.checkpw(password.encode(), hashed)

Hash passwords with bcrypt/argon2 (cost factor 12+)
Implement rate limiting on login
Use secure session tokens (random, long)
Set secure cookie flags (HttpOnly, Secure, SameSite)
Implement account lockout after failed attempts
Support MFA for sensitive operations

# WRONG - Check only authentication
@login_required
def delete_post(post_id):
    post = Post.get(post_id)
    post.delete()

# CORRECT - Check authorization
@login_required
def delete_post(post_id):
    post = Post.get(post_id)
    if post.author_id != current_user.id and not current_user.is_admin:
        raise Forbidden("Not authorized to delete this post")
    post.delete()

# WRONG - Hardcoded secrets
API_KEY = "sk-1234567890abcdef"

# CORRECT - Environment variables
API_KEY = os.environ["API_KEY"]

# BETTER - Secrets manager
API_KEY = secrets_client.get_secret("api-key")

Secret Handling Rules

DO:
- Use environment variables or secrets manager
- Rotate secrets regularly
- Use different secrets per environment
- Audit secret access

DON'T:
- Commit secrets to git
- Log secrets
- Include secrets in error messages
- Share secrets in plain text

Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=()

Quick Security Audit

# Find hardcoded secrets
rg -i "(password|secret|api_key|token)\s*=\s*['\"][^'\"]+['\"]" --type py

# Find SQL injection risks
rg "execute\(f['\"]|format\(" --type py

# Find eval/exec usage
rg "\b(eval|exec)\s*\(" --type py

# Check for TODO security items
rg -i "TODO.*security|FIXME.*security"

Additional Resources

./references/owasp-detailed.md - Full OWASP Top 10 details
./references/auth-patterns.md - JWT, OAuth, session management
./references/crypto-patterns.md - Encryption, hashing, signatures
./references/secure-headers.md - HTTP security headers guide

./scripts/security-scan.sh - Quick security grep patterns
./scripts/dependency-audit.sh - Check for vulnerable dependencies

SEO与AEO最佳实践指南：优化内容适配传统搜索与AI答案引擎

Web应用安全模式指南：OWASP Top 10防护、输入验证、身份认证与授权最佳实践

🇨🇳中文介绍

安全模式

OWASP Top 10 快速参考

🇺🇸English

Security Patterns

OWASP Top 10 Quick Reference

相关 Skills

最新 Skills

输入验证

验证规则

输出编码

按上下文编码

身份验证

身份验证检查清单

授权

密钥管理

密钥处理规则

安全头部

快速安全审计

额外资源

脚本

Input Validation

Validation Rules

Output Encoding

Encoding by Context

Authentication

Auth Checklist

Authorization

Secrets Management

Secret Handling Rules

Security Headers

Quick Security Audit

Additional Resources

Scripts