Security Review

1---2name: security-review3description: Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.4origin: ECC5---6 7# Security Review Skill8 9This skill ensures all code follows security best practices and identifies potential vulnerabilities.10 11## When to Activate12 13- Implementing authentication or authorization14- Handling user input or file uploads15- Creating new API endpoints16- Working with secrets or credentials17- Implementing payment features18- Storing or transmitting sensitive data19- Integrating third-party APIs20 21## Security Checklist22 23### 1. Secrets Management24 25#### FAIL: NEVER Do This26```typescript27const apiKey = "sk-proj-xxxxx"  // Hardcoded secret28const dbPassword = "password123" // In source code29```30 31#### PASS: ALWAYS Do This32```typescript33const apiKey = process.env.OPENAI_API_KEY34const dbUrl = process.env.DATABASE_URL35 36// Verify secrets exist37if (!apiKey) {38  throw new Error('OPENAI_API_KEY not configured')39}40```41 42#### Verification Steps43- [ ] No hardcoded API keys, tokens, or passwords44- [ ] All secrets in environment variables45- [ ] `.env.local` in .gitignore46- [ ] No secrets in git history47- [ ] Production secrets in hosting platform (Vercel, Railway)48 49### 2. Input Validation50 51#### Always Validate User Input52```typescript53import { z } from 'zod'54 55// Define validation schema56const CreateUserSchema = z.object({57  email: z.string().email(),58  name: z.string().min(1).max(100),59  age: z.number().int().min(0).max(150)60})61 62// Validate before processing63export async function createUser(input: unknown) {64  try {65    const validated = CreateUserSchema.parse(input)66    return await db.users.create(validated)67  } catch (error) {68    if (error instanceof z.ZodError) {69      return { success: false, errors: error.errors }70    }71    throw error72  }73}74```75 76#### File Upload Validation77```typescript78function validateFileUpload(file: File) {79  // Size check (5MB max)80  const maxSize = 5 * 1024 * 102481  if (file.size > maxSize) {82    throw new Error('File too large (max 5MB)')83  }84 85  // Type check86  const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']87  if (!allowedTypes.includes(file.type)) {88    throw new Error('Invalid file type')89  }90 91  // Extension check92  const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']93  const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0]94  if (!extension || !allowedExtensions.includes(extension)) {95    throw new Error('Invalid file extension')96  }97 98  return true99}100```101 102#### Verification Steps103- [ ] All user inputs validated with schemas104- [ ] File uploads restricted (size, type, extension)105- [ ] No direct use of user input in queries106- [ ] Whitelist validation (not blacklist)107- [ ] Error messages don't leak sensitive info108 109### 3. SQL Injection Prevention110 111#### FAIL: NEVER Concatenate SQL112```typescript113// DANGEROUS - SQL Injection vulnerability114const query = `SELECT * FROM users WHERE email = '${userEmail}'`115await db.query(query)116```117 118#### PASS: ALWAYS Use Parameterized Queries119```typescript120// Safe - parameterized query121const { data } = await supabase122  .from('users')123  .select('*')124  .eq('email', userEmail)125 126// Or with raw SQL127await db.query(128  'SELECT * FROM users WHERE email = $1',129  [userEmail]130)131```132 133#### Verification Steps134- [ ] All database queries use parameterized queries135- [ ] No string concatenation in SQL136- [ ] ORM/query builder used correctly137- [ ] Supabase queries properly sanitized138 139### 4. Authentication & Authorization140 141#### JWT Token Handling142```typescript143// FAIL: WRONG: localStorage (vulnerable to XSS)144localStorage.setItem('token', token)145 146// PASS: CORRECT: httpOnly cookies147res.setHeader('Set-Cookie',148  `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)149```150 151#### Authorization Checks152```typescript153export async function deleteUser(userId: string, requesterId: string) {154  // ALWAYS verify authorization first155  const requester = await db.users.findUnique({156    where: { id: requesterId }157  })158 159  if (requester.role !== 'admin') {160    return NextResponse.json(161      { error: 'Unauthorized' },162      { status: 403 }163    )164  }165 166  // Proceed with deletion167  await db.users.delete({ where: { id: userId } })168}169```170 171#### Row Level Security (Supabase)172```sql173-- Enable RLS on all tables174ALTER TABLE users ENABLE ROW LEVEL SECURITY;175 176-- Users can only view their own data177CREATE POLICY "Users view own data"178  ON users FOR SELECT179  USING (auth.uid() = id);180 181-- Users can only update their own data182CREATE POLICY "Users update own data"183  ON users FOR UPDATE184  USING (auth.uid() = id);185```186 187#### Verification Steps188- [ ] Tokens stored in httpOnly cookies (not localStorage)189- [ ] Authorization checks before sensitive operations190- [ ] Row Level Security enabled in Supabase191- [ ] Role-based access control implemented192- [ ] Session management secure193 194### 5. XSS Prevention195 196#### Sanitize HTML197```typescript198import DOMPurify from 'isomorphic-dompurify'199 200// ALWAYS sanitize user-provided HTML201function renderUserContent(html: string) {202  const clean = DOMPurify.sanitize(html, {203    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],204    ALLOWED_ATTR: []205  })206  return <div dangerouslySetInnerHTML={{ __html: clean }} />207}208```209 210#### Content Security Policy211```typescript212// next.config.js213const securityHeaders = [214  {215    key: 'Content-Security-Policy',216    value: `217      default-src 'self';218      script-src 'self' 'unsafe-eval' 'unsafe-inline';219      style-src 'self' 'unsafe-inline';220      img-src 'self' data: https:;221      font-src 'self';222      connect-src 'self' https://api.example.com;223    `.replace(/\s{2,}/g, ' ').trim()224  }225]226```227 228#### Verification Steps229- [ ] User-provided HTML sanitized230- [ ] CSP headers configured231- [ ] No unvalidated dynamic content rendering232- [ ] React's built-in XSS protection used233 234### 6. CSRF Protection235 236#### CSRF Tokens237```typescript238import { csrf } from '@/lib/csrf'239 240export async function POST(request: Request) {241  const token = request.headers.get('X-CSRF-Token')242 243  if (!csrf.verify(token)) {244    return NextResponse.json(245      { error: 'Invalid CSRF token' },246      { status: 403 }247    )248  }249 250  // Process request251}252```253 254#### SameSite Cookies255```typescript256res.setHeader('Set-Cookie',257  `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)258```259 260#### Verification Steps261- [ ] CSRF tokens on state-changing operations262- [ ] SameSite=Strict on all cookies263- [ ] Double-submit cookie pattern implemented264 265### 7. Rate Limiting266 267#### API Rate Limiting268```typescript269import rateLimit from 'express-rate-limit'270 271const limiter = rateLimit({272  windowMs: 15 * 60 * 1000, // 15 minutes273  max: 100, // 100 requests per window274  message: 'Too many requests'275})276 277// Apply to routes278app.use('/api/', limiter)279```280 281#### Expensive Operations282```typescript283// Aggressive rate limiting for searches284const searchLimiter = rateLimit({285  windowMs: 60 * 1000, // 1 minute286  max: 10, // 10 requests per minute287  message: 'Too many search requests'288})289 290app.use('/api/search', searchLimiter)291```292 293#### Verification Steps294- [ ] Rate limiting on all API endpoints295- [ ] Stricter limits on expensive operations296- [ ] IP-based rate limiting297- [ ] User-based rate limiting (authenticated)298 299### 8. Sensitive Data Exposure300 301#### Logging302```typescript303// FAIL: WRONG: Logging sensitive data304console.log('User login:', { email, password })305console.log('Payment:', { cardNumber, cvv })306 307// PASS: CORRECT: Redact sensitive data308console.log('User login:', { email, userId })309console.log('Payment:', { last4: card.last4, userId })310```311 312#### Error Messages313```typescript314// FAIL: WRONG: Exposing internal details315catch (error) {316  return NextResponse.json(317    { error: error.message, stack: error.stack },318    { status: 500 }319  )320}321 322// PASS: CORRECT: Generic error messages323catch (error) {324  console.error('Internal error:', error)325  return NextResponse.json(326    { error: 'An error occurred. Please try again.' },327    { status: 500 }328  )329}330```331 332#### Verification Steps333- [ ] No passwords, tokens, or secrets in logs334- [ ] Error messages generic for users335- [ ] Detailed errors only in server logs336- [ ] No stack traces exposed to users337 338### 9. Blockchain Security (Solana)339 340#### Wallet Verification341```typescript342import { verify } from '@solana/web3.js'343 344async function verifyWalletOwnership(345  publicKey: string,346  signature: string,347  message: string348) {349  try {350    const isValid = verify(351      Buffer.from(message),352      Buffer.from(signature, 'base64'),353      Buffer.from(publicKey, 'base64')354    )355    return isValid356  } catch (error) {357    return false358  }359}360```361 362#### Transaction Verification363```typescript364async function verifyTransaction(transaction: Transaction) {365  // Verify recipient366  if (transaction.to !== expectedRecipient) {367    throw new Error('Invalid recipient')368  }369 370  // Verify amount371  if (transaction.amount > maxAmount) {372    throw new Error('Amount exceeds limit')373  }374 375  // Verify user has sufficient balance376  const balance = await getBalance(transaction.from)377  if (balance < transaction.amount) {378    throw new Error('Insufficient balance')379  }380 381  return true382}383```384 385#### Verification Steps386- [ ] Wallet signatures verified387- [ ] Transaction details validated388- [ ] Balance checks before transactions389- [ ] No blind transaction signing390 391### 10. Dependency Security392 393#### Regular Updates394```bash395# Check for vulnerabilities396npm audit397 398# Fix automatically fixable issues399npm audit fix400 401# Update dependencies402npm update403 404# Check for outdated packages405npm outdated406```407 408#### Lock Files409```bash410# ALWAYS commit lock files411git add package-lock.json412 413# Use in CI/CD for reproducible builds414npm ci  # Instead of npm install415```416 417#### Verification Steps418- [ ] Dependencies up to date419- [ ] No known vulnerabilities (npm audit clean)420- [ ] Lock files committed421- [ ] Dependabot enabled on GitHub422- [ ] Regular security updates423 424## Security Testing425 426### Automated Security Tests427```typescript428// Test authentication429test('requires authentication', async () => {430  const response = await fetch('/api/protected')431  expect(response.status).toBe(401)432})433 434// Test authorization435test('requires admin role', async () => {436  const response = await fetch('/api/admin', {437    headers: { Authorization: `Bearer ${userToken}` }438  })439  expect(response.status).toBe(403)440})441 442// Test input validation443test('rejects invalid input', async () => {444  const response = await fetch('/api/users', {445    method: 'POST',446    body: JSON.stringify({ email: 'not-an-email' })447  })448  expect(response.status).toBe(400)449})450 451// Test rate limiting452test('enforces rate limits', async () => {453  const requests = Array(101).fill(null).map(() =>454    fetch('/api/endpoint')455  )456 457  const responses = await Promise.all(requests)458  const tooManyRequests = responses.filter(r => r.status === 429)459 460  expect(tooManyRequests.length).toBeGreaterThan(0)461})462```463 464## Pre-Deployment Security Checklist465 466Before ANY production deployment:467 468- [ ] **Secrets**: No hardcoded secrets, all in env vars469- [ ] **Input Validation**: All user inputs validated470- [ ] **SQL Injection**: All queries parameterized471- [ ] **XSS**: User content sanitized472- [ ] **CSRF**: Protection enabled473- [ ] **Authentication**: Proper token handling474- [ ] **Authorization**: Role checks in place475- [ ] **Rate Limiting**: Enabled on all endpoints476- [ ] **HTTPS**: Enforced in production477- [ ] **Security Headers**: CSP, X-Frame-Options configured478- [ ] **Error Handling**: No sensitive data in errors479- [ ] **Logging**: No sensitive data logged480- [ ] **Dependencies**: Up to date, no vulnerabilities481- [ ] **Row Level Security**: Enabled in Supabase482- [ ] **CORS**: Properly configured483- [ ] **File Uploads**: Validated (size, type)484- [ ] **Wallet Signatures**: Verified (if blockchain)485 486## Resources487 488- [OWASP Top 10](https://owasp.org/www-project-top-ten/)489- [Next.js Security](https://nextjs.org/docs/security)490- [Supabase Security](https://supabase.com/docs/guides/auth)491- [Web Security Academy](https://portswigger.net/web-security)492 493---494 495**Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.