security

Original：🇺🇸 English

Translated

Protect your SaaS app from common vulnerabilities. Use when building auth, handling user data, or deploying features. Covers authentication, data protection, API security, and OWASP Top 10 for non-technical founders using AI tools.

5installs

Sourcewhawkinsiv/claude-code-superpowers

Added on2026-02-08

NPX Install

npx skill4agent add whawkinsiv/claude-code-superpowers security

SKILL.md Content

View Translation Comparison →

Security

Security Checklist

Security Basics:
- [ ] Authentication required for protected routes
- [ ] Passwords hashed (bcrypt/argon2), never stored plain text
- [ ] API keys in environment variables, not code
- [ ] HTTPS only in production
- [ ] Input validated on server side
- [ ] SQL injection prevented (use parameterized queries)
- [ ] XSS prevented (sanitize user input)
- [ ] CSRF tokens on forms
- [ ] Rate limiting on API endpoints
- [ ] User sessions expire (30min-1hr typical)

See COMMON-VULNS.md for detailed checks.

Critical: Never Store These in Code

Move to environment variables:

Database passwords
API keys (Stripe, SendGrid, etc)
JWT secrets
OAuth client secrets
Encryption keys

Tell AI:

Store API keys in .env file, not in code.
Add .env to .gitignore.
Access via process.env.API_KEY

Authentication Basics

Minimum requirements:

Passwords: 8+ chars, require number/symbol
Hash passwords (bcrypt with 10+ rounds)
Email verification for signups
Password reset via email only
Sessions expire (30-60 min idle)
Logout clears session completely

Tell AI:

Add authentication:
- bcrypt for password hashing (12 rounds)
- Email verification required
- Session timeout: 30 minutes
- Password requirements: 8+ chars, 1 number, 1 symbol

See SECURITY-PROMPTS.md for implementation details.

Data Protection

Always encrypt:

Passwords (hashed, not encrypted)
Payment info (use Stripe, don't store cards)
Personal identifiable information (PII)

Never log:

Passwords (even hashed)
Credit card numbers
API keys
Session tokens

Tell AI:

Never log sensitive data.
Replace passwords/tokens with "[REDACTED]" in logs.

API Security

Required for all API endpoints:

Authentication check
Rate limiting (prevent abuse)
Input validation
Error messages don't leak info

Tell AI:

Add to all API routes:
- Require valid auth token
- Rate limit: 100 requests/minute per IP
- Validate all inputs (reject invalid)
- Generic error messages (no stack traces to users)

Common Vulnerabilities

Most common in AI-built apps:

Exposed API keys - In code instead of .env
No rate limiting - APIs can be spammed
Missing auth checks - Routes accessible without login
SQL injection - Raw SQL with user input
XSS attacks - Unescaped user content displayed

See COMMON-VULNS.md for how to check.

Security Prompts for AI

Adding authentication:

Add authentication to this route.
Require valid JWT token.
Return 401 if missing/invalid.
Don't expose error details.

Rate limiting:

Add rate limiting:
- 100 requests/minute per IP
- Return 429 "Too many requests" if exceeded
- Use sliding window, not fixed

Input validation:

Validate all user inputs:
- Email: valid format
- Password: 8+ chars, 1 number, 1 symbol
- Username: alphanumeric only, 3-20 chars
Reject invalid input with clear error message

See SECURITY-PROMPTS.md for more.

Pre-Launch Security Review

Before deploying:

Production Security:
- [ ] All secrets in environment variables
- [ ] HTTPS enforced (no HTTP)
- [ ] Database backups configured
- [ ] Rate limiting on all APIs
- [ ] Error pages don't show stack traces
- [ ] Admin routes protected
- [ ] File uploads validated (type, size)
- [ ] CORS configured (not wildcard "*")

When to Get Security Audit

Signs you need expert review:

Handling payments directly (not Stripe)
Storing health/financial data
Multi-tenant with data isolation
Over 1,000 users
Processing sensitive PII

For most MVPs: Following this checklist is sufficient.

Common Founder Mistakes

Mistake	Fix
API keys in code	Move to .env
No rate limiting	Add to all endpoints
Plain text passwords	Use bcrypt
HTTP in production	Force HTTPS
Accepting all CORS	Whitelist domains
No input validation	Validate server-side
Detailed error messages	Generic messages only

Quick Wins

Easy security improvements:

Add Helmet.js (Node) - Sets security headers
Use HTTPS everywhere - Force in production
Add rate limiting - Prevents abuse
Environment variables - Keep secrets safe
Update dependencies - Fix known vulnerabilities

Tell AI:

Add helmet.js for security headers.
Configure for production (HTTPS, CSP, XSS protection).

Testing Security

Quick checks:

Exposed secrets:

bash

grep -r "api_key" src/
grep -r "password" src/
# Should only find references to env vars

No auth bypass:

Try accessing protected routes without login
Should redirect to login or return 401

Rate limiting works:

Hit API endpoint 100 times quickly
Should get 429 error

Success Looks Like

✅ No secrets in code (all in .env)
✅ Can't access protected routes without auth
✅ Passwords hashed, never stored plain text
✅ Rate limiting prevents abuse
✅ HTTPS enforced in production
✅ Input validated on server side

security

NPX Install

Tags

SKILL.md Content

Security

Security Checklist

Critical: Never Store These in Code

Authentication Basics

Data Protection

API Security

Common Vulnerabilities

Security Prompts for AI

Pre-Launch Security Review

When to Get Security Audit

Common Founder Mistakes

Quick Wins

Testing Security

Success Looks Like