安全设计模式：构建安全应用的架构模式与防御性编码实践指南

security-design-patterns by cincinnati-associates/skills

1 周安装量

GitHub

安装命令

npx skills add https://github.com/cincinnati-associates/skills --skill security-design-patterns

代码规范系统架构安全

🇨🇳中文介绍

安全设计模式

构建安全应用程序的安全架构模式和防御性编码实践。涵盖 TypeScript/Node.js、Python 和 Java 中的身份验证、授权、密码学、密钥管理、输入验证、速率限制和零信任架构。

主动模式

这些规则在设计和编写代码时自动应用。当您检测到以下任何模式时，请立即应用相应的指导。

JWT 处理

当您检测到 JWT 创建、验证或中间件时：

算法：拒绝 none 算法。优先使用 RS256 或 ES256 而非 HS256（HS256 需要共享密钥；非对称算法允许公钥分发）
有效期 ：访问令牌必须在 15 分钟或更短时间内过期。刷新令牌应使用轮换机制（每次使用都会签发新的刷新令牌并使旧的失效）
声明验证 ：始终验证 iss（签发者）、aud（受众）、exp（过期时间）、iat（签发时间）和 nbf（不早于）
存储：切勿将 JWT 存储在 localStorage 中（易受 XSS 攻击）。使用 HttpOnly cookie 或内存存储，并将刷新令牌放在 HttpOnly cookie 中

密码处理

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

中间件 / 拦截器顺序

当您检测到中间件或过滤器链配置时，强制执行此顺序：

速率限制（在任何处理之前阻止滥用）
CORS（尽早拒绝不允许的来源）
身份验证（识别调用者）
授权（检查权限）
输入验证（验证请求体/参数）
业务逻辑处理器

环境变量和配置

当您检测到配置加载或环境变量使用时：

验证密钥未在源代码中硬编码
验证 .env 文件是否在 .gitignore 中
如果密钥出现在 Docker 构建参数、CI 日志或客户端捆绑包中，则发出警告
对于生产环境，推荐使用密钥管理器（AWS Secrets Manager、GCP Secret Manager、HashiCorp Vault）

当您检测到会话或 cookie 配置时：

HttpOnly ：必须为 true（防止 JavaScript 访问）
Secure ：必须为 true（仅限 HTTPS）
SameSite ：使用 Strict（如果需要跨站 GET，则使用 Lax）。没有充分理由，切勿使用 None
Cookie 前缀 ：使用 __Host- 前缀以获得最高安全性
过期：会话应具有绝对超时（例如，24 小时）和空闲超时（例如，30 分钟）

当您检测到访问控制逻辑时：

验证资源级别的授权，而不仅仅是角色检查（防止 IDOR/BOLA）
确保经过身份验证的用户拥有或明确有权访问所请求的资源
在多租户系统中，验证每个查询的租户隔离
授权必须在服务器端进行，切勿仅依赖客户端检查

当您检测到 API 密钥处理时：

验证密钥未暴露在客户端代码中（前端捆绑包、移动应用）
密钥应支持不停机轮换（在过渡期间接受旧密钥和新密钥）
对存储的 API 密钥进行哈希处理（它们是密钥，类似于密码）
使用具有最小权限的范围化密钥

涉及用户输入的文件操作

当您检测到从用户输入构建文件路径时：

拒绝路径遍历模式（../、..\\、空字节）
使用 path.resolve() 并验证结果在允许的目录内
切勿在未经清理的情况下将用户输入直接传递给 fs 操作或 open()

HTTP 客户端调用

当您检测到使用用户输入构造传出 HTTP 请求时：

警告 SSRF（服务器端请求伪造）
验证并允许列出目标 URL/域名
阻止对内部/私有 IP 范围的请求（127.0.0.0/8、10.0.0.0/8、172.16.0.0/12、192.168.0.0/16、169.254.169.254）
不要盲目跟随重定向（重定向可能针对内部服务）

当明确要求执行安全审计时，评估以下领域并生成报告。

身份验证架构
- 身份验证流程（OAuth/OIDC、基于会话、API 密钥）
- 令牌管理（签发、验证、撤销、轮换）
- 多因素身份验证支持
- 密码策略和存储
授权模型
- 访问控制类型（RBAC、ABAC、ReBAC）
- 资源级别授权检查
- 租户隔离（如果是多租户）
- 默认拒绝策略
数据保护
- 静态数据加密（数据库、文件存储）
- 传输中加密（TLS 1.2+）
- PII 处理与最小化
- 数据保留与删除
基础设施模式
- 所有公共端点的速率限制
- 安全标头（CSP、HSTS 等）
- CORS 配置
- TLS 证书管理
密钥管理
- 存储机制（KMS、密钥管理器、环境变量）
- 轮换策略和能力
- 访问审计跟踪
- 源代码中无硬编码密钥
安全开发生命周期
- 依赖项扫描（SCA）
- 静态分析（SAST）
- CI 中的密钥扫描
- 容器镜像扫描

# 安全架构报告

## 摘要
整体态势：[良好 / 需要改进 / 存在关键缺陷]
日期：YYYY-MM-DD
范围：[审查的内容]

## 发现

### 身份验证
- [评级] 发现描述
  - 当前状态：...
  - 建议：...

### 授权
- [评级] 发现描述
  - 当前状态：...
  - 建议：...

### 数据保护
- [评级] 发现描述
  - 当前状态：...
  - 建议：...

### 基础设施
- [评级] 发现描述
  - 当前状态：...
  - 建议：...

### 密钥管理
- [评级] 发现描述
  - 当前状态：...
  - 建议：...

### SDLC 安全
- [评级] 发现描述
  - 当前状态：...
  - 建议：...

## 优先行动项
1. [关键] ...
2. [高] ...
3. [中] ...

## 评级说明
- 通过：控制措施已正确实施
- 警告：部分实施或可改进
- 失败：缺失或存在严重错误配置

references/auth-patterns.md — 包含代码示例的身份验证和授权模式
references/defensive-patterns.md — 输入验证、速率限制、CSRF、安全标头、错误处理
references/crypto-secrets.md — 面向开发者的密码学和密钥管理
references/architecture.md — 零信任、纵深防御、威胁建模、安全 SDLC

🇺🇸English

Security Design Patterns

Security architecture patterns and defensive coding practices for building secure applications. Covers authentication, authorization, cryptography, secrets management, input validation, rate limiting, and zero trust architecture across TypeScript/Node.js, Python, and Java.

Proactive Mode

These rules apply automatically while designing or writing code. When you detect any of the following patterns, apply the corresponding guidance immediately.

JWT Handling

When you detect JWT creation, validation, or middleware:

Algorithm : Reject none algorithm. Prefer RS256 or ES256 over HS256 (HS256 requires shared secrets; asymmetric algorithms allow public key distribution)
Expiry : Access tokens must expire in 15 minutes or less. Refresh tokens should use rotation (each use issues a new refresh token and invalidates the old one)
Claims validation : Always validate iss (issuer), aud (audience), exp (expiry), iat (issued at), and nbf (not before)
Storage : Never store JWTs in localStorage (XSS-vulnerable). Use HttpOnly cookies or in-memory with refresh token in HttpOnly cookie

Password Handling

When you detect password storage, comparison, or reset logic:

Hashing : Use Argon2id (preferred) or bcrypt. Never SHA-256, SHA-1, MD5, or plaintext
Salt : Must be unique per password. Argon2 and bcrypt handle this automatically
Complexity : Follow NIST SP 800-63B: minimum 8 characters, check against breached password lists, no arbitrary composition rules
Transmission : Always over HTTPS. Never log passwords, even hashed

CORS Configuration

When you detect CORS setup:

Never use origin: '*' with credentials: true (browsers block this, but misconfigured proxies may not)
Use an explicit allowlist of origins
Restrict Access-Control-Allow-Methods to only what is needed
Set Access-Control-Max-Age to cache preflight responses

Middleware / Interceptor Order

When you detect middleware or filter chain configuration, enforce this order:

Rate limiting (block abuse before any processing)
CORS (reject disallowed origins early)
Authentication (identify the caller)
Authorization (check permissions)
Input validation (validate the request body/params)
Business logic handler

Environment Variables and Configuration

When you detect config loading or environment variable usage:

Verify secrets are not hardcoded in source code
Verify .env files are in .gitignore
Warn if secrets appear in Docker build args, CI logs, or client-side bundles
Recommend a secret manager for production (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault)

Session Management

When you detect session or cookie configuration:

HttpOnly : Must be true (prevents JavaScript access)
Secure : Must be true (HTTPS only)
SameSite : Use Strict (or Lax if cross-site GET is needed). Never None without a strong reason
Cookie prefix : Use __Host- prefix for maximum security
Expiry : Sessions should have absolute timeout (e.g., 24h) and idle timeout (e.g., 30min)

Authorization Checks

When you detect access control logic:

Verify resource-level authorization, not just role checks (prevents IDOR/BOLA)
Ensure the authenticated user owns or has explicit access to the requested resource
In multi-tenant systems, verify tenant isolation on every query
Authorization must happen server-side, never rely on client-side checks alone

API Key Usage

When you detect API key handling:

Verify keys are not exposed in client-side code (frontend bundles, mobile apps)
Keys should support rotation without downtime (accept old + new during transition)
Hash stored API keys (they are secrets, like passwords)
Use scoped keys with minimal permissions

File Operations with User Input

When you detect file path construction from user input:

Reject path traversal patterns (../, ..\\, null bytes)
Use path.resolve() and verify the result is within the allowed directory
Never pass user input directly to fs operations or open() without sanitization

HTTP Client Calls

When you detect outgoing HTTP requests constructed with user input:

Warn about SSRF (Server-Side Request Forgery)
Validate and allowlist target URLs/domains
Block requests to internal/private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254)
Do not follow redirects blindly (redirects can target internal services)

Audit Mode

When explicitly asked to perform a security audit, evaluate the following areas and generate a report.

Audit Checklist

Authentication Architecture
- Auth flows (OAuth/OIDC, session-based, API keys)
- Token management (issuance, validation, revocation, rotation)
- Multi-factor authentication support
- Password policies and storage
Authorization Model
- Access control type (RBAC, ABAC, ReBAC)
- Resource-level authorization checks
- Tenant isolation (if multi-tenant)
- Default deny posture
Data Protection
- Encryption at rest (database, file storage)
- Encryption in transit (TLS 1.2+)
- PII handling and minimization
- Data retention and deletion
Infrastructure Patterns
- Rate limiting on all public endpoints
- Security headers (CSP, HSTS, etc.)
- CORS configuration
- TLS certificate management
Secrets Management
- Storage mechanism (KMS, secret manager, env vars)
- Rotation policy and capability
- Access audit trail
- No hardcoded secrets in source
Secure Development Lifecycle
- Dependency scanning (SCA)
- Static analysis (SAST)

Security Report Template

# Security Architecture Report

## Summary
Overall posture: [Strong / Needs Improvement / Critical Gaps]
Date: YYYY-MM-DD
Scope: [what was reviewed]

## Findings

### Authentication
- [rating] Description of finding
  - Current state: ...
  - Recommendation: ...

### Authorization
- [rating] Description of finding
  - Current state: ...
  - Recommendation: ...

### Data Protection
- [rating] Description of finding
  - Current state: ...
  - Recommendation: ...

### Infrastructure
- [rating] Description of finding
  - Current state: ...
  - Recommendation: ...

### Secrets Management
- [rating] Description of finding
  - Current state: ...
  - Recommendation: ...

### SDLC Security
- [rating] Description of finding
  - Current state: ...
  - Recommendation: ...

## Priority Actions
1. [Critical] ...
2. [High] ...
3. [Medium] ...

## Rating Key
- Pass: Control is properly implemented
- Warning: Partially implemented or could be improved
- Fail: Missing or critically misconfigured

Reference Files

references/auth-patterns.md — Authentication and authorization patterns with code examples
references/defensive-patterns.md — Input validation, rate limiting, CSRF, security headers, error handling
references/crypto-secrets.md — Cryptography for developers and secrets management
references/architecture.md — Zero trust, defense in depth, threat modeling, secure SDLC

Weekly Installs

Repository

cincinnati-asso…s/skills

First Seen

1 day ago

Security Audits

Gen Agent Trust HubPass SnykPass

Installed on

amp1

cline1

opencode1

cursor1

kimi-cli1

codex1

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

28,800 周安装

Secret scanning in CI

Container image scanning