common-security-standards
Enforce universal security protocols for safe, resilient software. Use when implementing authentication, encryption, authorization, input validation, secret management, or any security-sensitive feature across any language or framework. (triggers: **/*.ts, **/*.tsx, **/*.go, **/*.dart, **/*.java, **
Install
mkdir -p .claude/skills/common-security-standards && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/15911" && unzip -o skill.zip -d .claude/skills/common-security-standards && rm skill.zipInstalls to .claude/skills/common-security-standards
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Enforce universal security protocols for safe, resilient software. Use when implementing authentication, encryption, authorization, input validation, secret management, or any security-sensitive feature across any language or framework. (triggers: **/*.ts, **/*.tsx, **/*.go, **/*.dart, **/*.java, **/*.kt, **/*.swift, **/*.py, security, encrypt, authenticate, authorize)About this skill
Security Standards
Priority: P0 (CRITICAL)
Always-Apply Rules
Apply these on every code write, regardless of context:
- No hardcoded secrets: Use environment variables or secret managers. Never commit keys, passwords, or tokens to source control.
- No raw SQL strings: Use parameterized queries or ORMs —
WHERE id = ${userId}is always wrong. - No stacktraces in prod: Return generic error codes; log full detail server-side only.
Workflow
Activate when: implementing auth, encryption, authorization, input handling, or any security-sensitive feature.
- Identify trust boundaries — map every data entry point (API, UI, CSV, webhook).
- Validate and sanitize all external input at each boundary.
- Apply least privilege to users, services, and containers.
- Verify with SAST/DAST scanners in CI before merge.
Context-Specific Rules
Data Safeguarding
- Zero Trust: Never trust external input. Sanitize and validate every data boundary.
- Least Privilege: Grant minimum necessary permissions to users, services, and containers.
- Encryption: AES-256 for data-at-rest; TLS 1.3 for data-in-transit.
- PII Logging: Never log PII (email, phone, names). Mask sensitive fields before logging.
See implementation examples for parameterized queries and secret management.
Secure Coding
- Injection Prevention: Use parameterized queries or ORMs to stop SQL, Command, and XSS injections.
- Dependency Management: Regularly scan (
npm audit,pip audit) and update third-party libraries to patch CVEs. - Secure Auth: Implement Multi-Factor Authentication (MFA) and secure session management.
- Error Privacy: Never leak stack traces or internal implementation details to the end-user.
Continuous Security
- Shift Left: Integrate security scanners (SAST/DAST) early in the CI/CD pipeline.
- Data Minimization: Collect and store only the minimum data required for business logic.
- Audit Logging: Maintain logs for sensitive operations (Auth, Deletion, Admin changes).
Anti-Patterns
- No default passwords: Force rotation on first use with strong entropy requirements.