OWASP 安全检查技能：Web应用与REST API安全审计，涵盖OWASP Top 10漏洞

owasp-security-check by sergiodxa/agent-skills

480 周安装量

79 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/sergiodxa/agent-skills --skill owasp-security-check

自动化测试安全

🇨🇳中文介绍

OWASP 安全检查

针对 Web 应用程序和 REST API 的全面安全审计模式。包含 5 大类共 20 条规则，涵盖 OWASP Top 10 和常见的 Web 漏洞。

何时应用

在以下情况使用此技能：

审计代码库以查找安全漏洞
审查用户提供的文件或文件夹是否存在安全问题
检查身份验证/授权实现
评估 REST API 安全性
评估数据保护措施
审查配置和部署设置
生产环境部署之前
添加处理敏感数据的新功能之后

如何使用此技能

确定应用程序类型 - Web 应用、REST API、SPA、SSR 或混合类型
按优先级扫描 - 从 CRITICAL 规则开始，然后是 HIGH，最后是 MEDIUM
审查相关规则文件 - 从 @rules/ 目录加载特定规则
报告发现 - 记录严重性、文件位置和影响
提供修复建议 - 提供具体的修复代码示例

审计工作流程

步骤 1：按优先级进行系统审查

按优先级顺序处理各个类别：

CRITICAL : 身份验证与授权、数据保护、输入/输出安全
HIGH : 配置与标头
MEDIUM : API 与监控

步骤 2：生成报告

按以下格式记录发现：

严重性 : CRITICAL | HIGH | MEDIUM | LOW
类别 : 规则名称
文件 : 路径和行号

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

身份验证与授权 (CRITICAL)

broken-access-control - @rules/broken-access-control.md

检查是否存在缺少授权、IDOR、权限提升问题。

// Bad: No authorization check
async function getUser(req: Request): Promise<Response> {
  let url = new URL(req.url);
  let userId = url.searchParams.get("id");
  let user = await db.user.findUnique({ where: { id: userId } });
  return new Response(JSON.stringify(user));
}

// Good: Verify ownership
async function getUser(req: Request): Promise<Response> {
  let session = await getSession(req);
  let url = new URL(req.url);
  let userId = url.searchParams.get("id");

  if (session.userId !== userId && !session.isAdmin) {
    return new Response("Forbidden", { status: 403 });
  }

  let user = await db.user.findUnique({ where: { id: userId } });
  return new Response(JSON.stringify(user));
}

authentication-failures - @rules/authentication-failures.md

检查是否存在弱身份验证、缺少 MFA、会话问题。

// Bad: Weak password check
if (password.length >= 6) {
  /* allow */
}

// Good: Strong password requirements
function validatePassword(password: string) {
  if (password.length < 12) return false;
  if (!/[A-Z]/.test(password)) return false;
  if (!/[a-z]/.test(password)) return false;
  if (!/[0-9]/.test(password)) return false;
  if (!/[^A-Za-z0-9]/.test(password)) return false;
  return true;
}

数据保护 (CRITICAL)

cryptographic-failures - @rules/cryptographic-failures.md

检查是否存在弱加密、明文存储、不良哈希算法。

// Bad: MD5 for passwords
let hash = crypto.createHash("md5").update(password).digest("hex");

// Good: bcrypt with salt
let hash = await bcrypt(password, 12);

sensitive-data-exposure - @rules/sensitive-data-exposure.md

检查日志/响应中是否存在 PII、错误消息泄露信息。

// Bad: Exposing sensitive data
return new Response(JSON.stringify(user)); // Contains password hash, email, etc.

// Good: Return only needed fields
return new Response(
  JSON.stringify({
    id: user.id,
    username: user.username,
    displayName: user.displayName,
  }),
);

data-integrity-failures - @rules/data-integrity-failures.md

检查是否存在未签名的数据、不安全的反序列化。

// Bad: Trusting unsigned JWT
let decoded = JSON.parse(atob(token.split(".")[1]));
if (decoded.isAdmin) {
  /* grant access */
}

// Good: Verify signature
let payload = await verifyJWT(token, secret);

secrets-management - @rules/secrets-management.md

检查是否存在硬编码的密钥、暴露的环境变量。

// Bad: Hardcoded secret
const API_KEY = "sk_live_a1b2c3d4e5f6";

// Good: Environment variables
let API_KEY = process.env.API_KEY;
if (!API_KEY) throw new Error("API_KEY not configured");

输入/输出安全 (CRITICAL)

injection-attacks - @rules/injection-attacks.md

检查是否存在 SQL、XSS、NoSQL、命令、路径遍历注入。

// Bad: SQL injection
let query = `SELECT * FROM users WHERE email = '${email}'`;

// Good: Parameterized query
let user = await db.user.findUnique({ where: { email } });

ssrf-attacks - @rules/ssrf-attacks.md

检查是否存在未经验证的 URL、内部网络访问。

// Bad: Fetching user-provided URL
let url = await req.json().then((d) => d.url);
let response = await fetch(url);

// Good: Validate against allowlist
const ALLOWED_DOMAINS = ["api.example.com", "cdn.example.com"];
let url = new URL(await req.json().then((d) => d.url));
if (!ALLOWED_DOMAINS.includes(url.hostname)) {
  return new Response("Invalid URL", { status: 400 });
}

file-upload-security - @rules/file-upload-security.md

检查是否存在无限制的上传、MIME 类型验证。

// Bad: No file type validation
let file = await req.formData().then((fd) => fd.get("file"));
await writeFile(`./uploads/${file.name}`, file);

// Good: Validate type and extension
const ALLOWED_TYPES = ["image/jpeg", "image/png", "image/webp"];
const ALLOWED_EXTS = [".jpg", ".jpeg", ".png", ".webp"];
let file = await req.formData().then((fd) => fd.get("file") as File);

if (!ALLOWED_TYPES.includes(file.type)) {
  return new Response("Invalid file type", { status: 400 });
}

redirect-validation - @rules/redirect-validation.md

检查是否存在开放重定向、未经验证的重定向 URL。

// Bad: Unvalidated redirect
let returnUrl = new URL(req.url).searchParams.get("return");
return Response.redirect(returnUrl);

// Good: Validate redirect URL
let returnUrl = new URL(req.url).searchParams.get("return");
let allowed = ["/dashboard", "/profile", "/settings"];
if (!allowed.includes(returnUrl)) {
  return Response.redirect("/");
}

配置与标头 (HIGH)

insecure-design - @rules/insecure-design.md

检查架构中是否存在安全反模式。

// Bad: Security by obscurity
let isAdmin = req.headers.get("x-admin-secret") === "admin123";

// Good: Proper role-based access control
let session = await getSession(req);
let isAdmin = await db.user
  .findUnique({
    where: { id: session.userId },
  })
  .then((u) => u.role === "ADMIN");

security-misconfiguration - @rules/security-misconfiguration.md

检查是否存在默认配置、调试模式、错误处理问题。

// Bad: Exposing stack traces
catch (error) {
  return new Response(error.stack, { status: 500 });
}

// Good: Generic error message
catch (error) {
  console.error(error); // Log server-side only
  return new Response("Internal server error", { status: 500 });
}

security-headers - @rules/security-headers.md

检查是否存在 CSP、HSTS、X-Frame-Options 等。

// Bad: No security headers
return new Response(html);

// Good: Security headers set
return new Response(html, {
  headers: {
    "Content-Security-Policy": "default-src 'self'",
    "X-Frame-Options": "DENY",
    "X-Content-Type-Options": "nosniff",
    "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
  },
});

cors-configuration - @rules/cors-configuration.md

检查是否存在过于宽松的 CORS 配置。

// Bad: Wildcard with credentials
headers.set("Access-Control-Allow-Origin", "*");
headers.set("Access-Control-Allow-Credentials", "true");

// Good: Specific origin
let allowedOrigins = ["https://app.example.com"];
let origin = req.headers.get("origin");
if (origin && allowedOrigins.includes(origin)) {
  headers.set("Access-Control-Allow-Origin", origin);
}

csrf-protection - @rules/csrf-protection.md

检查是否存在 CSRF 令牌、SameSite Cookie。

// Bad: No CSRF protection
let cookies = parseCookies(req.headers.get("cookie"));
let session = await getSession(cookies.sessionId);

// Good: SameSite cookie + token validation
return new Response("OK", {
  headers: {
    "Set-Cookie": "session=abc; SameSite=Strict; Secure; HttpOnly",
  },
});

session-security - @rules/session-security.md

检查是否存在 Cookie 标志、JWT 问题、令牌存储问题。

// Bad: Insecure cookie
return new Response("OK", {
  headers: { "Set-Cookie": "session=abc123" },
});

// Good: Secure cookie with all flags
return new Response("OK", {
  headers: {
    "Set-Cookie":
      "session=abc123; Secure; HttpOnly; SameSite=Strict; Path=/; Max-Age=3600",
  },
});

API 与监控 (MEDIUM-HIGH)

api-security - @rules/api-security.md

检查是否存在 REST API 漏洞、批量赋值问题。

// Bad: Mass assignment vulnerability
let userData = await req.json();
await db.user.update({ where: { id }, data: userData });

// Good: Explicitly allow fields
let { displayName, bio } = await req.json();
await db.user.update({
  where: { id },
  data: { displayName, bio }, // Only allowed fields
});

rate-limiting - @rules/rate-limiting.md

检查是否存在缺少速率限制、暴力破解防护。

// Bad: No rate limiting
async function login(req: Request): Promise<Response> {
  let { email, password } = await req.json();
  // Allows unlimited login attempts
}

// Good: Rate limiting
let ip = req.headers.get("x-forwarded-for");
let { success } = await ratelimit.limit(ip);
if (!success) {
  return new Response("Too many requests", { status: 429 });
}

logging-monitoring - @rules/logging-monitoring.md

检查是否存在日志记录不足、日志中包含敏感数据。

// Bad: Logging sensitive data
console.log("User login:", { email, password, ssn });

// Good: Log events without sensitive data
console.log("User login attempt", {
  email,
  ip: req.headers.get("x-forwarded-for"),
  timestamp: new Date().toISOString(),
});

vulnerable-dependencies - @rules/vulnerable-dependencies.md

检查是否存在过时的包、已知的 CVE。

# Bad: No dependency checking
npm install

# Good: Regular audits
npm audit
npm audit fix

快速参考需要查找的模式：

未经验证的用户输入 : req.json() → 立即使用
缺少身份验证检查 : 没有授权中间件的路由
硬编码的密钥 : 包含 "password"、"secret"、"key" 的字符串
SQL 注入 : 查询中的字符串拼接
XSS : dangerouslySetInnerHTML, .innerHTML
弱加密 : 对密码使用 md5、sha1
缺少标头 : 没有 CSP、HSTS 或安全标头
CORS 通配符 : Access-Control-Allow-Origin: * 与凭据一起使用
不安全的 Cookie : 缺少 Secure、HttpOnly、SameSite 标志
路径遍历 : 文件路径中包含未经验证的用户输入

严重性快速参考

立即修复 (CRITICAL):

SQL/XSS/命令注入
敏感端点缺少身份验证
代码中硬编码的密钥
明文存储密码
IDOR 漏洞

尽快修复 (HIGH):

缺少 CSRF 防护
弱密码要求
缺少安全标头
过于宽松的 CORS
不安全的会话管理

在可能时修复 (MEDIUM):

缺少速率限制
日志记录不完整
过时的依赖项（无已知漏洞利用）
非关键字段缺少输入验证

缺少可选的安全标头
详细的错误消息（非生产环境）
次优的加密参数

🇺🇸English

OWASP Security Check

Comprehensive security audit patterns for web applications and REST APIs. Contains 20 rules across 5 categories covering OWASP Top 10 and common web vulnerabilities.

When to Apply

Use this skill when:

Auditing a codebase for security vulnerabilities
Reviewing user-provided file or folder for security issues
Checking authentication/authorization implementations
Evaluating REST API security
Assessing data protection measures
Reviewing configuration and deployment settings
Before production deployment
After adding new features that handle sensitive data

How to Use This Skill

Identify application type - Web app, REST API, SPA, SSR, or mixed
Scan by priority - Start with CRITICAL rules, then HIGH, then MEDIUM
Review relevant rule files - Load specific rules from @rules/ directory
Report findings - Note severity, file location, and impact
Provide remediation - Give concrete code examples for fixes

Audit Workflow

Step 1: Systematic Review by Priority

Work through categories by priority:

CRITICAL : Authentication & Authorization, Data Protection, Input/Output Security
HIGH : Configuration & Headers
MEDIUM : API & Monitoring

Step 2: Generate Report

Format findings as:

Severity : CRITICAL | HIGH | MEDIUM | LOW
Category : Rule name
File : Path and line number
Issue : What's wrong
Impact : Security consequence
Fix : Code example of remediation

Rules Summary

Authentication & Authorization (CRITICAL)

broken-access-control - @rules/broken-access-control.md

Check for missing authorization, IDOR, privilege escalation.

// Bad: No authorization check
async function getUser(req: Request): Promise<Response> {
  let url = new URL(req.url);
  let userId = url.searchParams.get("id");
  let user = await db.user.findUnique({ where: { id: userId } });
  return new Response(JSON.stringify(user));
}

// Good: Verify ownership
async function getUser(req: Request): Promise<Response> {
  let session = await getSession(req);
  let url = new URL(req.url);
  let userId = url.searchParams.get("id");

  if (session.userId !== userId && !session.isAdmin) {
    return new Response("Forbidden", { status: 403 });
  }

  let user = await db.user.findUnique({ where: { id: userId } });
  return new Response(JSON.stringify(user));
}

authentication-failures - @rules/authentication-failures.md

Check for weak authentication, missing MFA, session issues.

// Bad: Weak password check
if (password.length >= 6) {
  /* allow */
}

// Good: Strong password requirements
function validatePassword(password: string) {
  if (password.length < 12) return false;
  if (!/[A-Z]/.test(password)) return false;
  if (!/[a-z]/.test(password)) return false;
  if (!/[0-9]/.test(password)) return false;
  if (!/[^A-Za-z0-9]/.test(password)) return false;
  return true;
}

Data Protection (CRITICAL)

cryptographic-failures - @rules/cryptographic-failures.md

Check for weak encryption, plaintext storage, bad hashing.

// Bad: MD5 for passwords
let hash = crypto.createHash("md5").update(password).digest("hex");

// Good: bcrypt with salt
let hash = await bcrypt(password, 12);

sensitive-data-exposure - @rules/sensitive-data-exposure.md

Check for PII in logs/responses, error messages leaking info.

// Bad: Exposing sensitive data
return new Response(JSON.stringify(user)); // Contains password hash, email, etc.

// Good: Return only needed fields
return new Response(
  JSON.stringify({
    id: user.id,
    username: user.username,
    displayName: user.displayName,
  }),
);

data-integrity-failures - @rules/data-integrity-failures.md

Check for unsigned data, insecure deserialization.

// Bad: Trusting unsigned JWT
let decoded = JSON.parse(atob(token.split(".")[1]));
if (decoded.isAdmin) {
  /* grant access */
}

// Good: Verify signature
let payload = await verifyJWT(token, secret);

secrets-management - @rules/secrets-management.md

Check for hardcoded secrets, exposed env vars.

// Bad: Hardcoded secret
const API_KEY = "sk_live_a1b2c3d4e5f6";

// Good: Environment variables
let API_KEY = process.env.API_KEY;
if (!API_KEY) throw new Error("API_KEY not configured");

Input/Output Security (CRITICAL)

injection-attacks - @rules/injection-attacks.md

Check for SQL, XSS, NoSQL, Command, Path Traversal injection.

// Bad: SQL injection
let query = `SELECT * FROM users WHERE email = '${email}'`;

// Good: Parameterized query
let user = await db.user.findUnique({ where: { email } });

ssrf-attacks - @rules/ssrf-attacks.md

Check for unvalidated URLs, internal network access.

// Bad: Fetching user-provided URL
let url = await req.json().then((d) => d.url);
let response = await fetch(url);

// Good: Validate against allowlist
const ALLOWED_DOMAINS = ["api.example.com", "cdn.example.com"];
let url = new URL(await req.json().then((d) => d.url));
if (!ALLOWED_DOMAINS.includes(url.hostname)) {
  return new Response("Invalid URL", { status: 400 });
}

file-upload-security - @rules/file-upload-security.md

Check for unrestricted uploads, MIME validation.

// Bad: No file type validation
let file = await req.formData().then((fd) => fd.get("file"));
await writeFile(`./uploads/${file.name}`, file);

// Good: Validate type and extension
const ALLOWED_TYPES = ["image/jpeg", "image/png", "image/webp"];
const ALLOWED_EXTS = [".jpg", ".jpeg", ".png", ".webp"];
let file = await req.formData().then((fd) => fd.get("file") as File);

if (!ALLOWED_TYPES.includes(file.type)) {
  return new Response("Invalid file type", { status: 400 });
}

redirect-validation - @rules/redirect-validation.md

Check for open redirects, unvalidated redirect URLs.

// Bad: Unvalidated redirect
let returnUrl = new URL(req.url).searchParams.get("return");
return Response.redirect(returnUrl);

// Good: Validate redirect URL
let returnUrl = new URL(req.url).searchParams.get("return");
let allowed = ["/dashboard", "/profile", "/settings"];
if (!allowed.includes(returnUrl)) {
  return Response.redirect("/");
}

Configuration & Headers (HIGH)

insecure-design - @rules/insecure-design.md

Check for security anti-patterns in architecture.

// Bad: Security by obscurity
let isAdmin = req.headers.get("x-admin-secret") === "admin123";

// Good: Proper role-based access control
let session = await getSession(req);
let isAdmin = await db.user
  .findUnique({
    where: { id: session.userId },
  })
  .then((u) => u.role === "ADMIN");

security-misconfiguration - @rules/security-misconfiguration.md

Check for default configs, debug mode, error handling.

// Bad: Exposing stack traces
catch (error) {
  return new Response(error.stack, { status: 500 });
}

// Good: Generic error message
catch (error) {
  console.error(error); // Log server-side only
  return new Response("Internal server error", { status: 500 });
}

security-headers - @rules/security-headers.md

Check for CSP, HSTS, X-Frame-Options, etc.

// Bad: No security headers
return new Response(html);

// Good: Security headers set
return new Response(html, {
  headers: {
    "Content-Security-Policy": "default-src 'self'",
    "X-Frame-Options": "DENY",
    "X-Content-Type-Options": "nosniff",
    "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
  },
});

cors-configuration - @rules/cors-configuration.md

Check for overly permissive CORS.

// Bad: Wildcard with credentials
headers.set("Access-Control-Allow-Origin", "*");
headers.set("Access-Control-Allow-Credentials", "true");

// Good: Specific origin
let allowedOrigins = ["https://app.example.com"];
let origin = req.headers.get("origin");
if (origin && allowedOrigins.includes(origin)) {
  headers.set("Access-Control-Allow-Origin", origin);
}

csrf-protection - @rules/csrf-protection.md

Check for CSRF tokens, SameSite cookies.

// Bad: No CSRF protection
let cookies = parseCookies(req.headers.get("cookie"));
let session = await getSession(cookies.sessionId);

// Good: SameSite cookie + token validation
return new Response("OK", {
  headers: {
    "Set-Cookie": "session=abc; SameSite=Strict; Secure; HttpOnly",
  },
});

session-security - @rules/session-security.md

Check for cookie flags, JWT issues, token storage.

// Bad: Insecure cookie
return new Response("OK", {
  headers: { "Set-Cookie": "session=abc123" },
});

// Good: Secure cookie with all flags
return new Response("OK", {
  headers: {
    "Set-Cookie":
      "session=abc123; Secure; HttpOnly; SameSite=Strict; Path=/; Max-Age=3600",
  },
});

API & Monitoring (MEDIUM-HIGH)

api-security - @rules/api-security.md

Check for REST API vulnerabilities, mass assignment.

// Bad: Mass assignment vulnerability
let userData = await req.json();
await db.user.update({ where: { id }, data: userData });

// Good: Explicitly allow fields
let { displayName, bio } = await req.json();
await db.user.update({
  where: { id },
  data: { displayName, bio }, // Only allowed fields
});

rate-limiting - @rules/rate-limiting.md

Check for missing rate limits, brute force prevention.

// Bad: No rate limiting
async function login(req: Request): Promise<Response> {
  let { email, password } = await req.json();
  // Allows unlimited login attempts
}

// Good: Rate limiting
let ip = req.headers.get("x-forwarded-for");
let { success } = await ratelimit.limit(ip);
if (!success) {
  return new Response("Too many requests", { status: 429 });
}

logging-monitoring - @rules/logging-monitoring.md

Check for insufficient logging, sensitive data in logs.

// Bad: Logging sensitive data
console.log("User login:", { email, password, ssn });

// Good: Log events without sensitive data
console.log("User login attempt", {
  email,
  ip: req.headers.get("x-forwarded-for"),
  timestamp: new Date().toISOString(),
});

vulnerable-dependencies - @rules/vulnerable-dependencies.md

Check for outdated packages, known CVEs.

# Bad: No dependency checking
npm install

# Good: Regular audits
npm audit
npm audit fix

Common Vulnerability Patterns

Quick reference of patterns to look for:

User input without validation : req.json() → immediate use
Missing auth checks : Routes without authorization middleware
Hardcoded secrets : Strings containing "password", "secret", "key"
SQL injection : String concatenation in queries
XSS : dangerouslySetInnerHTML, .innerHTML
Weak crypto : md5, sha1 for passwords
Missing headers : No CSP, HSTS, or security headers
CORS wildcards : Access-Control-Allow-Origin: * with credentials
Insecure cookies : Missing Secure, HttpOnly, SameSite flags
Path traversal : User input in file paths without validation

Severity Quick Reference

Fix Immediately (CRITICAL):

SQL/XSS/Command Injection
Missing authentication on sensitive endpoints
Hardcoded secrets in code
Plaintext password storage
IDOR vulnerabilities

Fix Soon (HIGH):

Missing CSRF protection
Weak password requirements
Missing security headers
Overly permissive CORS
Insecure session management

Fix When Possible (MEDIUM):

Missing rate limiting
Incomplete logging
Outdated dependencies (no known exploits)
Missing input validation on non-critical fields

Improve (LOW):

Missing optional security headers
Verbose error messages (non-production)
Suboptimal crypto parameters

Weekly Installs

480

Repository

sergiodxa/agent-skills

GitHub Stars

First Seen

Feb 1, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode441

codex423

gemini-cli417

cursor398

github-copilot397

claude-code357

OpenClaw技能安全审计指南：skill-vetter工具详解与安装前安全检查

12,200 周安装

OWASP 安全检查技能：Web应用与REST API安全审计，涵盖OWASP Top 10漏洞

🇨🇳中文介绍

OWASP 安全检查

何时应用

如何使用此技能

审计工作流程

步骤 1：按优先级进行系统审查

步骤 2：生成报告

相关 Skills

规则摘要

身份验证与授权 (CRITICAL)

broken-access-control - @rules/broken-access-control.md

authentication-failures - @rules/authentication-failures.md

数据保护 (CRITICAL)

cryptographic-failures - @rules/cryptographic-failures.md

sensitive-data-exposure - @rules/sensitive-data-exposure.md

data-integrity-failures - @rules/data-integrity-failures.md

secrets-management - @rules/secrets-management.md

输入/输出安全 (CRITICAL)

injection-attacks - @rules/injection-attacks.md

ssrf-attacks - @rules/ssrf-attacks.md

file-upload-security - @rules/file-upload-security.md

redirect-validation - @rules/redirect-validation.md

配置与标头 (HIGH)

insecure-design - @rules/insecure-design.md

security-misconfiguration - @rules/security-misconfiguration.md

security-headers - @rules/security-headers.md

cors-configuration - @rules/cors-configuration.md

csrf-protection - @rules/csrf-protection.md

session-security - @rules/session-security.md

API 与监控 (MEDIUM-HIGH)

api-security - @rules/api-security.md

rate-limiting - @rules/rate-limiting.md

logging-monitoring - @rules/logging-monitoring.md

vulnerable-dependencies - @rules/vulnerable-dependencies.md

常见漏洞模式

严重性快速参考

🇺🇸English

OWASP Security Check

When to Apply

How to Use This Skill

Audit Workflow

Step 1: Systematic Review by Priority

Step 2: Generate Report

Rules Summary

Authentication & Authorization (CRITICAL)

broken-access-control - @rules/broken-access-control.md

authentication-failures - @rules/authentication-failures.md

Data Protection (CRITICAL)

cryptographic-failures - @rules/cryptographic-failures.md

sensitive-data-exposure - @rules/sensitive-data-exposure.md

data-integrity-failures - @rules/data-integrity-failures.md

secrets-management - @rules/secrets-management.md

Input/Output Security (CRITICAL)

injection-attacks - @rules/injection-attacks.md

ssrf-attacks - @rules/ssrf-attacks.md

file-upload-security - @rules/file-upload-security.md

redirect-validation - @rules/redirect-validation.md

Configuration & Headers (HIGH)

insecure-design - @rules/insecure-design.md

security-misconfiguration - @rules/security-misconfiguration.md

security-headers - @rules/security-headers.md

cors-configuration - @rules/cors-configuration.md

csrf-protection - @rules/csrf-protection.md

session-security - @rules/session-security.md

API & Monitoring (MEDIUM-HIGH)

api-security - @rules/api-security.md

rate-limiting - @rules/rate-limiting.md

logging-monitoring - @rules/logging-monitoring.md

vulnerable-dependencies - @rules/vulnerable-dependencies.md

Common Vulnerability Patterns

Severity Quick Reference

最新 Skills