JavaScript/TypeScript应用安全最佳实践：OWASP审计与漏洞检测指南

accelint-security-best-practices by gohypergiant/agent-skills

118 周安装量

7 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/gohypergiant/agent-skills --skill accelint-security-best-practices

JavaScript 框架代码质量安全

🇨🇳中文介绍

安全最佳实践

针对 JavaScript/TypeScript 应用程序的系统化安全审计和漏洞检测。将审计工作流程与 OWASP Top 10 安全模式相结合，以生成生产就绪的代码。

框架无关指导：此技能提供适用于各种框架（Express、Fastify、Nest.js、Next.js 等）的安全原则。代码示例使用通用模式说明概念——请根据您项目的特定框架和包管理器（npm、yarn、pnpm、bun）进行调整。

实施安全时绝对不要做的事

注意： 对于通用最佳实践（类型安全、代码质量、文档），请使用相应的 accelint 技能。本节专门关注安全特定的反模式。

绝对不要硬编码密钥 - 源代码中的 API 密钥、令牌、密码或凭证在推送到版本控制系统时会立即泄露。即使是私有仓库，也会通过员工流动、第三方访问和 git 历史记录泄露密钥。在 2024 年的违规分析中，47% 的暴露凭证来自意外提交然后“删除”的 .env 文件（但仍保留在 git 历史记录中）。攻击者会在推送后的几分钟内扫描公共 GitHub 提交。请务必使用环境变量。
绝对不要信任用户输入 - 使用涵盖类型、格式、大小和内容的模式（Zod、Joi）进行验证。
绝对不要将用户输入拼接到查询中 - 务必使用参数化查询、ORM 或预处理语句。在 SQL、NoSQL 或 shell 命令中进行字符串拼接会导致注入攻击。
绝对不要在 localStorage 中存储敏感数据 - localStorage 容易受到 XSS 攻击，恶意脚本会窃取令牌。localStorage 中的 JWT 令牌、会话 ID 或凭证会在会话间持续存在，并且任何 JavaScript 代码都可以访问。请对身份验证令牌使用 httpOnly cookie。
绝对不要跳过授权检查 - 身份验证验证身份；授权验证权限。攻击者会操纵 ID、跳过身份验证或猜测 URL。每个访问资源的端点都必须验证请求用户是否拥有该资源或具有适当的角色。
绝对不要向用户暴露详细错误信息 - 在服务器端记录日志，返回通用消息。堆栈跟踪会泄露架构信息用于侦察。
绝对不要使用 Array.includes() 进行权限检查 - 包含 100 多个角色的权限数组存在 O(n) 查找时间和类型安全问题。使用 Set.has() 实现 O(1) 查找，或使用具有适当类型检查的基于角色的访问控制（RBAC）。

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

实施安全之前，请先自问

应用这些测试以确保全面的安全覆盖：

攻击面是什么？ 识别用户输入进入系统的所有点（表单、API、文件上传、URL）
最坏的情况是什么？ 考虑数据泄露、未经授权的访问、服务中断或财务损失
攻击者是谁？ 脚本小子利用已知漏洞；复杂的攻击者会串联多个弱点

我是否在所有受保护的路由上设置了身份验证？ 公共 API 可能是有意为之，但请验证每个端点的访问策略
授权检查是否在操作之前进行？ 在读取、写入或删除资源之前验证所有权/权限
是否验证了所有用户输入？ 在处理之前使用模式检查类型、格式、大小和内容

是否存在单点故障？ 分层防御，以便一次绕过不会危及整个系统
错误是否得到妥善处理？ 未处理的错误会泄露信息；正确处理可以保持安全态势
日志记录是否足以用于审计跟踪？ 必须记录安全事件（登录尝试、访问拒绝、可疑模式）以便进行事件响应

此技能使用渐进式披露来最小化上下文使用：

1. 从工作流程开始（SKILL.md）

遵循下面的 4 阶段审计工作流程进行系统化的安全分析。

2. 参考安全规则概览（AGENTS.md）

加载 AGENTS.md 以扫描按类别组织的压缩安全规则摘要。

3. 根据需要加载特定的安全模式

当您识别出特定的安全问题时，加载相应的参考文件以获取详细的 ❌/✅ 示例。

4. 使用报告模板

当调用此技能时，请使用标准化的报告格式：

安全审计工作流程

两种操作模式：

审计模式 - 直接调用技能（/accelint-security-best-practices <路径>）或用户明确请求安全审计
- 使用模板生成结构化审计报告（仅第 1-2 阶段）
- 报告发现的问题供用户审核后再实施
- 用户决定应用哪些安全修复
实施模式 - 在功能开发期间技能自动触发
- 直接识别并应用安全修复（所有 4 个阶段）
- 无需正式报告
- 专注于内联修复漏洞

复制此清单以跟踪进度：

- [ ] 阶段 1：发现 - 通过系统化代码分析识别安全漏洞
- [ ] 阶段 2：分类 - 按 OWASP 类别和严重性对问题进行分类
- [ ] 阶段 3：修复 - 应用 references/ 中的安全模式
- [ ] 阶段 4：验证 - 验证修复并确认漏洞已关闭

阶段 1：发现安全漏洞

关键：审计所有代码以查找安全漏洞。 不要基于对暴露程度的假设而跳过代码。内部实用程序、助手和数据转换经常通过 API、文件上传或用户交互暴露，即使它们的实现看起来是隔离的。

执行系统化的静态代码分析以识别所有安全反模式：

硬编码的密钥（API 密钥、密码、令牌）
缺少输入验证（用户数据、文件上传、API 响应）
注入漏洞（SQL、NoSQL、命令、XSS）
访问控制失效（缺少身份验证、无所有权检查、IDOR）
不安全的身份验证（localStorage 中的令牌、弱会话管理）
缺少速率限制（身份验证端点、昂贵操作）
敏感数据暴露（日志、错误消息、客户端响应）
安全配置错误（默认配置、缺少标头、宽松的 CORS）
易受攻击的依赖项（过时的包、已知的 CVE）
缺少 CSRF 保护（状态更改操作）
SSRF 漏洞（未经验证的 URL 获取）

输出： 所有已识别漏洞的完整列表，包括其位置、严重性和 OWASP 类别。不要基于“可能性”进行过滤——报告发现的所有内容。

阶段 2：分类和评估风险

对于阶段 1 中识别的每一个漏洞，按 OWASP 类别和严重性进行分类：

按 OWASP Top 10 类别对所有漏洞进行分类：

OWASP 类别	常见问题	严重性范围
A01：访问控制失效	缺少身份验证、无所有权检查、IDOR	严重-高
A02：加密机制失效	硬编码密钥、弱哈希、不安全存储	严重-中
A03：注入	SQL、NoSQL、命令、XSS 漏洞	严重-高
A04：不安全设计	缺少速率限制、无输入验证	高-中
A05：安全配置错误	默认配置、缺少标头、生产环境中的开发模式	高-低
A06：易受攻击的组件	过时的依赖项、已知的 CVE	严重-低
A07：身份验证失效	弱会话管理、无 MFA、凭证填充	严重-高
A08：数据完整性失效	缺少 CSRF、未签名的更新	高-中
A09：日志记录失效	无安全日志记录、监控不足	中-低
A10：SSRF	未经验证的 URL 获取、内部网络访问	高-中

严重性级别：

严重：直接导致数据泄露、远程代码执行或完全系统被攻陷的路径
- 示例：SQL 注入、硬编码的生产密钥、管理端点无身份验证
高：很可能导致未经授权的访问、数据窃取或服务中断
- 示例：缺少授权检查、XSS 漏洞、不安全的会话管理
中：在特定条件下或与其他漏洞串联时可能被利用
- 示例：缺少速率限制、弱 CORS 策略、日志记录不足
低：纵深防御改进、最佳实践或边缘情况保护
- 示例：缺少安全标头、过于详细的错误消息

漏洞映射快速参考：

加载 references/quick-reference.md 以获取详细的漏洞到类别映射和反模式检测。

输出： 所有漏洞的分类列表，包括其 OWASP 类别和严重性级别。不要过滤或优先排序——列出阶段 1 中发现的所有内容。

阶段 3：使用安全模式进行修复

步骤 1： 从阶段 2 的分析中确定您的漏洞类别。

步骤 2： 为您的类别加载必读参考文件。完整阅读每个文件，无范围限制。

类别	必读文件	可选	不要加载
密钥管理	secrets-management.md	—	所有其他
输入验证	input-validation.md	file-uploads.md（用于文件上传功能）	密钥、身份验证
注入防护	injection-prevention.md	—	输入验证、XSS
身份验证	authentication.md	mfa.md（用于多因素身份验证功能）	授权、密钥
授权	authorization.md	—	身份验证
XSS 防护	xss-prevention.md	—	注入、CSRF
CSRF 防护	csrf-protection.md	—	XSS、身份验证
速率限制	rate-limiting.md	—	身份验证、注入
敏感数据	sensitive-data.md	—	密钥、日志记录
依赖项安全	dependency-security.md	—	所有其他
安全标头	security-headers.md	—	XSS、CSRF
SSRF 防护	ssrf-prevention.md	—	注入、输入验证

如果漏洞涉及多个类别，请加载所有相关类别的参考文件
安全模式是累积的——通过处理所有类别来应用纵深防御
在实施特定功能（文件上传、MFA 等）时加载可选文件

步骤 3：在修复期间扫描快速参考

加载 AGENTS.md 以查看按类别组织的压缩安全规则摘要。在实施上述详细参考文件中的模式时，用作快速查找。

系统地应用模式：

加载已识别漏洞类别的参考文件
扫描 ❌/✅ 示例以找到匹配的模式
应用安全修复，确保纵深防御
添加注释 解释安全考虑并引用模式

// ❌ 之前：SQL 注入漏洞
const query = `SELECT * FROM users WHERE email = '${email}'`;
const user = await db.query(query);

// ✅ 之后：参数化查询防止注入
// 安全：injection-prevention.md - 参数化查询
const user = await db.query(
  'SELECT * FROM users WHERE email = $1',
  [email]
);

阶段 4：验证安全修复

验证漏洞是否已关闭：

审查代码以确认漏洞已完全解决
验证修复没有引入新的漏洞
检查纵深防御——是否有多个层保护关键资源？

运行现有的测试套件——所有测试必须通过
为漏洞添加特定于安全的测试
对于严重漏洞，考虑进行渗透测试

记录安全修复：

// 应用的安全修复：2026-02-01
// 漏洞：通过 email 参数进行 SQL 注入（严重）
// OWASP 类别：A03 - 注入
// 模式：injection-prevention.md - 参数化查询
// 已验证：所有测试通过，手动 SQL 注入尝试被阻止

决定是否部署修复：

严重漏洞： 立即部署，必要时使用紧急流程
高漏洞： 在下一个发布周期内部署（几天内，不是几周）
中漏洞： 在下一个计划发布时部署
低漏洞： 在方便时部署或与其他安全改进一起批量处理

如果测试失败： 修复安全实现或寻找替代解决方案。安全修复不应破坏功能。

常见的实施陷阱

安全修复有时会与现有功能冲突。以下是常见场景的专家解决方案：

问题	❌ 错误方法	✅ 正确方法
参数化查询破坏了动态列排序	添加 try-catch，回退到拼接	使用列名白名单：`const allowed = ['name', 'email', 'created_at']; if (!allowed.includes(column)) throw Error;` 然后安全地拼接
速率限制破坏了负载测试	在测试环境中禁用速率限制	基于环境检测，为测试使用单独的速率限制配置
CSRF 令牌破坏了 API 集成测试	在测试中跳过 CSRF 验证	在测试设置中使用您的 CSRF 库的令牌生成函数生成有效的 CSRF 令牌
输入验证拒绝了合法的边缘情况	放宽验证规则	调查边缘情况——它是否合法？如果是，更新模式。如果不是，拒绝它。真实用户不应该遇到验证错误。
授权检查破坏了管理员模拟	为管理员用户跳过授权检查	实施适当的模拟：管理员获取具有目标用户权限的临时令牌，并记录日志以供审计
HTTPOnly cookie 破坏了移动应用身份验证	为移动设备将令牌存储在 localStorage 中	使用安全的令牌存储：iOS 钥匙串、Android 密钥库或平台特定的安全存储 API

当安全与功能冲突时

优先级顺序：

绝不妥协严重漏洞（SQL 注入、硬编码密钥、缺少身份验证）——寻找替代架构
高漏洞 如果有适当的文档记录并用其他控制措施补偿，可以做出轻微权衡
中/低漏洞 如果业务理由充分且风险被接受，可以推迟

权衡的文档要求：

// 记录的安全权衡：2026-02-01
// 问题：速率限制破坏了来自可信合作伙伴的 webhook 接收
// 决定：将合作伙伴 IP 范围从速率限制中豁免
// 补偿控制措施：
//   - 严格维护 IP 白名单（仅 2 个合作伙伴 IP）
//   - 对合作伙伴流量进行单独监控
//   - 每日手动审查合作伙伴流量
//   - 计划在 30 天内审查以实施替代解决方案
// 风险接受者：[姓名]，[职位]

根据漏洞严重性校准指导的具体性：

漏洞严重性	自由度级别	指导格式	示例
严重（数据泄露、RCE）	低自由度	来自参考的精确模式，无偏差	"使用参数化查询：`db.query('SELECT * FROM users WHERE id = $1', [id])`"
高（未经授权的访问）	中自由度	带有示例的模式，验证覆盖范围	"在资源访问之前实施 RBAC 或所有权检查"
中（纵深防御）	中自由度	多种有效方法，根据架构选择	"使用 express-rate-limit 进行速率限制或实施自定义中间件"
低（最佳实践）	高自由度	通用指导，实施方式各异	"考虑添加安全标头以进行纵深防御"

测试： "严重性和影响范围是什么？"

严重/高严重性 → 低自由度，使用精确模式以防止错误
中严重性 → 中自由度，使用经过验证的方法
低严重性 → 高自由度，使用通用最佳实践

审计一切的理念 - 审计所有代码以查找安全漏洞。内部实用程序、助手和数据转换经常通过 API 或用户交互暴露，即使它们看起来是隔离的。不要对安全边界做出假设。
报告所有发现 - 执行系统化的静态分析以识别和报告所有漏洞及其严重性和 OWASP 类别。不要基于“被利用的可能性”进行过滤。
参考文件具有权威性 - references/ 中的模式遵循 OWASP 最佳实践。除非安全要求另有规定，否则请严格遵循。
纵深防御 - 分层安全控制，使单个漏洞不会危及整个系统。身份验证 + 授权 + 输入验证 + 速率限制。
安全测试 - 安全修复需要使用恶意输入和边缘情况进行测试。在部署之前为攻击场景添加测试。
事件响应 - 安全日志记录和监控能够检测和响应攻击。记录所有安全事件，并包含足够的细节以供调查。

使用此表快速识别适用的安全类别和适当的严重性。

审计一切：识别代码中的所有安全漏洞，无论当前暴露程度如何。报告所有发现及其严重性和 OWASP 类别。

如果您看到...	漏洞类型	OWASP 类别	典型严重性
源代码中的 API 密钥、密码或令牌	硬编码密钥	A02：加密机制失效	严重
用户输入直接出现在 SQL/NoSQL 查询中	注入漏洞	A03：注入	严重
受保护的路由上缺少 `authenticate` 中间件	缺少身份验证	A01：访问控制失效	严重
在资源访问之前缺少所有权/权限检查	缺少授权	A01：访问控制失效	高
JWT 令牌在 `localStorage.setItem()` 中	不安全的令牌存储	A07：身份验证失效	高
用户输入没有模式验证	缺少输入验证	A04：不安全设计	高
`/api/login` 或 `/api/register` 上没有速率限制	缺少速率限制	A04：不安全设计	高
`dangerouslySetInnerHTML` 没有清理	XSS 漏洞	A03：注入	高
状态更改操作没有 CSRF 令牌	缺少 CSRF 保护	A08：数据完整性失效	高
`console.log()` 中的密码、令牌或个人身份信息	日志中的敏感数据	A09：日志记录失效	中
发送给用户的堆栈跟踪或数据库错误	信息泄露	A05：安全配置错误	中
`npm audit` 显示漏洞	易受攻击的依赖项	A06：易受攻击的组件	严重-低（可变）
`fetch(userProvidedUrl)` 没有验证	SSRF 漏洞	A10：SSRF	高
缺少安全标头（CSP、HSTS）	缺少安全标头	A05：安全配置错误	中
顺序用户 ID 没有所有权检查	IDOR 漏洞	A01：访问控制失效	高
生产环境中的 `CORS: *`	宽松的 CORS	A05：安全配置错误	中
缺少 `process.env.NODE_ENV !== 'production'` 检查	生产环境中的开发模式	A05：安全配置错误	中-低

如何使用此表：

从代码审查中识别模式
在“如果您看到...”列中找到匹配的行
记下 OWASP 类别和典型严重性
跳转到阶段 3 中相应的安全类别
为该类别加载必读参考文件

2026 年 2 月 8 日

🇺🇸English

Security Best Practices

Systematic security auditing and vulnerability detection for JavaScript/TypeScript applications. Combines audit workflow with OWASP Top 10 security patterns for production-ready code.

Framework-Agnostic Guidance : This skill provides security principles applicable across frameworks (Express, Fastify, Nest.js, Next.js, etc.). Code examples illustrate concepts using common patterns—adapt them to your project's specific framework and package manager (npm, yarn, pnpm, bun).

NEVER Do When Implementing Security

Note: For general best practices (type safety, code quality, documentation), use the respective accelint skills. This section focuses exclusively on security-specific anti-patterns.

NEVER hardcode secrets - API keys, tokens, passwords, or credentials in source code are immediately compromised when pushed to version control. Even private repositories leak secrets through employee turnover, third-party access, and git history. In 2024 breach analysis, 47% of exposed credentials came from .env files accidentally committed then 'deleted' (but preserved in git history). Attackers scan public GitHub commits within minutes of push. Use environment variables exclusively.
NEVER trust user input - Validate with schemas (Zod, Joi) covering type, format, size, and content.
NEVER concatenate user input into queries - Use parameterized queries, ORMs, or prepared statements exclusively. String concatenation in SQL, NoSQL, or shell commands enables injection attacks.
NEVER store sensitive data in localStorage - localStorage is vulnerable to XSS attacks where malicious scripts steal tokens. JWT tokens, session IDs, or credentials in localStorage persist across sessions and are accessible to any JavaScript code. Use httpOnly cookies for auth tokens.
NEVER skip authorization checks - Authentication verifies identity; authorization verifies permission. Attackers will manipulate IDs, skip authentication, or guess URLs. Every endpoint accessing resources must verify the requesting user owns that resource or has appropriate role.
NEVER expose detailed errors to users - Log server-side, return generic messages. Stack traces leak architecture for reconnaissance.
NEVER use Array.includes() for permission checks - Permission arrays with 100+ roles suffer O(n) lookup time and type safety issues. Use Set.has() for O(1) lookup or role-based access control (RBAC) with proper type checking.
NEVER skip rate limiting on APIs - Unlimited API requests enable brute force attacks (1000 password attempts/second), denial of service (exhaust server resources), or data scraping (enumerate all users/resources). Apply rate limits to all endpoints, with stricter limits on authentication and expensive operations.
NEVER log sensitive data - Passwords, tokens, credit cards, or personal information in logs persist in log aggregation systems, backups, and third-party services. Logs are accessible to more people than the application itself. Redact sensitive fields before logging.
NEVER use default configurations in production - Default secrets, disabled security headers, permissive CORS, or development modes in production create known vulnerabilities. Attackers scan for defaults. Harden all configurations for production environments.

Before Implementing Security, Ask

Apply these tests to ensure comprehensive security coverage:

Threat Assessment

What's the attack surface? Identify all points where user input enters the system (forms, APIs, file uploads, URLs)
What's the worst-case scenario? Consider data breaches, unauthorized access, service disruption, or financial loss
Who are the attackers? Script kiddies exploit known vulnerabilities; sophisticated attackers chain multiple weaknesses

Compliance Verification

Do I have authentication on all protected routes? Public APIs may be intentional, but verify each endpoint's access policy
Are authorization checks before operations? Verify ownership/permissions before reading, writing, or deleting resources
Is all user input validated? Check type, format, size, and content with schemas before processing

Defense in Depth

Is there a single point of failure? Layer defenses so one bypass doesn't compromise entire system
Are errors handled gracefully? Unhandled errors leak information; proper handling maintains security posture
Is logging sufficient for audit trails? Security events (login attempts, access denials, suspicious patterns) must be logged for incident response

How to Use

This skill uses progressive disclosure to minimize context usage:

1. Start with the Workflow (SKILL.md)

Follow the 4-phase audit workflow below for systematic security analysis.

2. Reference Security Rules Overview (AGENTS.md)

Load AGENTS.md to scan compressed security rule summaries organized by category.

3. Load Specific Security Patterns as Needed

When you identify specific security issues, load corresponding reference files for detailed ❌/✅ examples.

4. Use the Report Template

When this skill is invoked, use the standardized report format:

Template: assets/output-report-template.md

Security Audit Workflow

Two modes of operation:

Audit Mode - Skill invoked directly (/accelint-security-best-practices <path>) or user explicitly requests security audit
- Generate a structured audit report using the template (Phases 1-2 only)
- Report findings for user review before implementation
- User decides which security fixes to apply
Implementation Mode - Skill triggers automatically during feature work
- Identify and apply security fixes directly (all 4 phases)
- No formal report needed
- Focus on fixing vulnerabilities inline

Copy this checklist to track progress:

- [ ] Phase 1: Discover - Identify security vulnerabilities through systematic code analysis
- [ ] Phase 2: Categorize - Classify issues by OWASP category and severity
- [ ] Phase 3: Remediate - Apply security patterns from references/
- [ ] Phase 4: Verify - Validate fixes and confirm vulnerability closure

Phase 1: Discover Security Vulnerabilities

CRITICAL: Audit ALL code for security vulnerabilities. Do not skip code based on assumptions about exposure. Internal utilities, helpers, and data transformations are frequently exposed through APIs, file uploads, or user interactions even if their implementation appears isolated.

Perform systematic static code analysis to identify ALL security anti-patterns:

Hardcoded secrets (API keys, passwords, tokens)
Missing input validation (user data, file uploads, API responses)
Injection vulnerabilities (SQL, NoSQL, Command, XSS)
Broken access control (missing auth, no ownership checks, IDOR)
Insecure authentication (tokens in localStorage, weak session management)
Missing rate limiting (auth endpoints, expensive operations)
Sensitive data exposure (logs, error messages, client responses)
Security misconfiguration (default configs, missing headers, permissive CORS)
Vulnerable dependencies (outdated packages, known CVEs)
Missing CSRF protection (state-changing operations)
SSRF vulnerabilities (unvalidated URL fetching)

Output : Complete list of ALL identified vulnerabilities with their locations, severity, and OWASP category. Do not filter based on "likelihood" - report everything found.

Phase 2: Categorize and Assess Risk

For EVERY vulnerability identified in Phase 1, categorize by OWASP category and severity:

Categorize ALL vulnerabilities by OWASP Top 10 category:

OWASP Category	Common Issues	Severity Range
A01: Broken Access Control	Missing auth, no ownership checks, IDOR	Critical-High
A02: Cryptographic Failures	Hardcoded secrets, weak hashing, insecure storage	Critical-Medium
A03: Injection	SQL, NoSQL, Command, XSS vulnerabilities	Critical-High
A04: Insecure Design	Missing rate limiting, no input validation	High-Medium
A05: Security Misconfiguration	Default configs, missing headers, dev mode in prod	High-Low
A06: Vulnerable Components	Outdated dependencies, known CVEs	Critical-Low
A07: Auth Failures	Weak session management, no MFA, credential stuffing	Critical-High
A08: Data Integrity Failures	Missing CSRF, unsigned updates	High-Medium
A09: Logging Failures

Severity Levels:

Critical : Direct path to data breach, remote code execution, or complete system compromise
- Examples: SQL injection, hardcoded production secrets, no authentication on admin endpoints
High : Likely to enable unauthorized access, data theft, or service disruption
- Examples: Missing authorization checks, XSS vulnerabilities, insecure session management
Medium : Could be exploited with specific conditions or chained with other vulnerabilities
- Examples: Missing rate limiting, weak CORS policy, insufficient logging
Low : Defense-in-depth improvements, best practices, or edge case protections
- Examples: Missing security headers, overly detailed error messages

Quick reference for mapping vulnerabilities:

Load references/quick-reference.md for detailed vulnerability-to-category mapping and anti-pattern detection.

Output: Categorized list of ALL vulnerabilities with their OWASP categories and severity levels. Do not filter or prioritize - list everything found in Phase 1.

Phase 3: Remediate Using Security Patterns

Step 1: Identify your vulnerability category from Phase 2 analysis.

Step 2 : Load MANDATORY references for your category. Read each file completely with no range limits.

Category	MANDATORY Files	Optional	Do NOT Load
Secrets Management	secrets-management.md	—	all others
Input Validation	input-validation.md	file-uploads.md (for file upload features)	secrets, auth
Injection Prevention	injection-prevention.md	—	input validation, XSS
Authentication	authentication.md	mfa.md (for multi-factor auth features)	authorization, secrets
Authorization	authorization.md	—	authentication
XSS Prevention	xss-prevention.md	—

Notes :

If vulnerability spans multiple categories, load references for all relevant categories
Security patterns are cumulative - apply defense in depth by addressing all categories
Load optional files when implementing specific features (file uploads, MFA, etc.)

Step 3: Scan for quick reference during remediation

Load AGENTS.md to see compressed security rule summaries organized by category. Use as a quick lookup while implementing patterns from the detailed reference files above.

Apply patterns systematically:

Load the reference file for the identified vulnerability category
Scan the ❌/✅ examples to find matching patterns
Apply the security fix ensuring defense in depth
Add comments explaining the security consideration and referencing the pattern

Example remediation:

// ❌ Before: SQL Injection vulnerability
const query = `SELECT * FROM users WHERE email = '${email}'`;
const user = await db.query(query);

// ✅ After: Parameterized query prevents injection
// Security: injection-prevention.md - parameterized queries
const user = await db.query(
  'SELECT * FROM users WHERE email = $1',
  [email]
);

Phase 4: Verify Security Fixes

Validate vulnerability closure:

Review code to confirm vulnerability is fully addressed
Verify no new vulnerabilities introduced by the fix
Check defense in depth - are multiple layers protecting critical resources?

Security testing:

Run existing test suite - all tests must pass
Add security-specific tests for the vulnerability
Consider penetration testing for critical vulnerabilities

Document security fix:

// Security fix applied: 2026-02-01
// Vulnerability: SQL injection via email parameter (Critical)
// OWASP Category: A03 - Injection
// Pattern: injection-prevention.md - parameterized queries
// Verified: All tests pass, manual SQL injection attempts blocked

Deciding whether to deploy the fix:

Critical vulnerabilities: Deploy immediately with emergency process if needed
High vulnerabilities: Deploy in next release cycle (days, not weeks)
Medium vulnerabilities: Deploy with next scheduled release
Low vulnerabilities: Deploy when convenient or batch with other security improvements

If tests fail: Fix the security implementation or find alternative solution. Security fixes should not break functionality.

Common Implementation Pitfalls

Security fixes sometimes conflict with existing functionality. Here are expert solutions for common scenarios:

Issue	❌ Wrong Approach	✅ Correct Approach
Parameterized queries break dynamic column sorting	Add try-catch, fall back to concatenation	Use column name whitelist: `const allowed = ['name', 'email', 'created_at']; if (!allowed.includes(column)) throw Error;` then safely concatenate
Rate limiting breaks load tests	Disable rate limiting in test environment	Use separate rate limit config for tests based on environment detection
CSRF tokens break API integration tests	Skip CSRF validation in tests	Generate valid CSRF tokens in test setup using your CSRF library's token generation function
Input validation rejects legitimate edge cases	Loosen validation rules	Investigate the edge case - is it legitimate? If yes, update schema. If no, reject it. Real users shouldn't hit validation errors.
Authorization checks break admin impersonation	Skip auth checks for admin users	Implement proper impersonation: admin gets temporary token with target user's permissions, logged for audit
HTTPOnly cookies break mobile app auth	Store tokens in localStorage for mobile

When Security and Functionality Conflict

Priority order:

Never compromise on Critical vulnerabilities (SQL injection, hardcoded secrets, missing auth) - find alternative architecture
High vulnerabilities can have slight trade-offs if properly documented and compensated with other controls
Medium/Low vulnerabilities may be deferred if business justification is strong and risk is accepted

Documentation requirement for trade-offs:

// SECURITY TRADE-OFF DOCUMENTED: 2026-02-01
// Issue: Rate limiting breaks webhook ingestion from trusted partner
// Decision: Exempt partner IP range from rate limiting
// Compensating controls:
//   - IP whitelist strictly maintained (only 2 partner IPs)
//   - Separate monitoring for partner traffic
//   - Manual review of partner traffic daily
//   - 30-day review scheduled to implement alternative solution
// Risk accepted by: [Name], [Title]

Freedom Calibration

Calibrate guidance specificity to vulnerability severity:

Vulnerability Severity	Freedom Level	Guidance Format	Example
Critical (data breach, RCE)	Low freedom	Exact pattern from reference, no deviation	"Use parameterized query: `db.query('SELECT * FROM users WHERE id = $1', [id])`"
High (unauthorized access)	Medium freedom	Pattern with examples, verify coverage	"Implement RBAC or ownership checks before resource access"
Medium (defense in depth)	Medium freedom	Multiple valid approaches, pick based on architecture	"Use rate limiting with express-rate-limit or implement custom middleware"
Low (best practices)	High freedom	General guidance, implementation varies	"Consider adding security headers for defense in depth"

The test: "What's the severity and blast radius?"

Critical/High severity → Low freedom with exact patterns to prevent mistakes
Medium severity → Medium freedom with validated approaches
Low severity → High freedom with general best practices

Important Notes

Audit everything philosophy - Audit ALL code for security vulnerabilities. Internal utilities, helpers, and data transformations are frequently exposed through APIs or user interactions even when they appear isolated. Do not make assumptions about security boundaries.
Report all findings - Perform systematic static analysis to identify and report ALL vulnerabilities with their severity and OWASP category. Do not filter based on "likelihood" of exploitation.
Reference files are authoritative - The patterns in references/ follow OWASP best practices. Follow them exactly unless security requirements dictate otherwise.
Defense in depth - Layer security controls so single vulnerability doesn't compromise entire system. Authentication + authorization + input validation + rate limiting.
Security testing - Security fixes require testing with malicious inputs and edge cases. Add tests for attack scenarios before deploying.
Incident response - Security logging and monitoring enable detection and response to attacks. Log all security events with sufficient detail for investigation.

Quick Decision Tree

Use this table to rapidly identify which security category applies and appropriate severity.

Audit everything : Identify ALL security vulnerabilities in the code regardless of current exposure. Report all findings with severity and OWASP category.

If You See...	Vulnerability Type	OWASP Category	Typical Severity
API key, password, or token in source code	Hardcoded secrets	A02: Cryptographic Failures	Critical
User input directly in SQL/NoSQL query	Injection vulnerability	A03: Injection	Critical
No `authenticate` middleware on protected route	Missing authentication	A01: Broken Access Control	Critical
No ownership/permission check before resource access	Missing authorization	A01: Broken Access Control	High
JWT token in `localStorage.setItem()`	Insecure token storage	A07: Auth Failures

How to use this table:

Identify the pattern from code review
Find matching row in "If You See..." column
Note the OWASP Category and Typical Severity
Jump to corresponding Security Category in Phase 3
Load MANDATORY reference files for that category

Weekly Installs

Repository

gohypergiant/ag…t-skills

GitHub Stars

First Seen

Feb 8, 2026

Security Audits

Gen Agent Trust HubFail SocketPass SnykPass

Installed on

codex91

claude-code83

cursor79

gemini-cli74

opencode74

amp73

Lark Mail CLI 使用指南：邮件管理、安全规则与自动化工作流

37,000 周安装