SE
security-review
Security audit for backend services and API endpoints — authentication gaps, injection risks, hardcoded secrets, and permission bypass vectors.
Install
mkdir -p .claude/skills/security-review-prav-raghu && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/14465" && unzip -o skill.zip -d .claude/skills/security-review-prav-raghu && rm skill.zipInstalls to .claude/skills/security-review-prav-raghu
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Security audit for backend services and API endpoints — authentication gaps, injection risks, hardcoded secrets, and permission bypass vectors.143 charsno explicit “when” trigger
About this skill
Security Review
Audit the changes or files at: $ARGUMENTS
Run this diff first if reviewing a branch:
!git diff origin/main..HEAD -- $ARGUMENTS 2>/dev/null || find $ARGUMENTS -name "*.ts" | head -20
Audit checklist
Authentication & Authorization
- MSAL Bearer token validation happens via
AzureAuthGuard, consistently — never a locally-signed/custom JWT in production code - No route skips auth via query param, header trick, or env flag
- Genuinely public/unauthenticated endpoints are the exception, not the default
-
PermissionsGuard(@RequirePermissions) fires on every write/destructive endpoint -
req.useris never taken from the request body or query string — only from the validated MSAL token
Input Validation
- Every request body goes through
class-validatordecorators + the globalValidationPipe({ whitelist: true, transform: true }) -
forbidNonWhitelisted: true(or equivalent) so unexpected fields are rejected, not silently dropped - No raw/unparameterized SQL (Prisma raw queries, if any, are parameterized)
- File uploads validate MIME type and size before processing
Secrets & Credentials
- No hardcoded secrets, Azure client secrets, API keys, tokens, or connection strings anywhere
- No sensitive values in log output (check
AzureMonitorLogger's redact list is complete) -
.envis gitignored; only.env.examplewith placeholders is committed - No custom password hashing/storage anywhere — auth is delegated entirely to Azure MSAL
Output & Data Exposure
- Prisma queries use
selectto exclude sensitive fields from responses - Audit log
redact()covers password, token, secret, hash,twoFactorSecret - Webhook payloads contain no PII, passwords, or internal system IDs
- No stack traces or internal error messages in production API responses
Infrastructure
- No wildcard
*in CORSoriginconfig in production - Helmet is registered in every service's
main.ts -
@nestjs/throttlerrate limiting applied per tier (global/auth/sensitive/admin) - SSRF prevention in place on any service making outbound HTTP calls (webhook delivery,
external-apis) - MySQL and Redis are never exposed on a public network/subnet
Report format
Group findings as:
Blockers (must fix before merge) → Warnings (should fix) → Suggestions (nice to have)
Each finding: location, issue, concrete fix.