Name: Secure Code Guardian
Author: Jeffallan

Install

Terminal · npx

$npx skills add https://github.com/jeffallan/claude-skills --skill secure-code-guardian

Works with Paperclip

How Secure Code Guardian fits into a Paperclip company.

Secure Code Guardian drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.

SaaS FactoryPaired

Pre-configured AI company — 18 agents, 18 skills, one-time purchase.

$27$59

Explore pack

Source file

SKILL.md191 linesmarkdown

Expand

1---2name: secure-code-guardian3description: Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities — including custom security implementations such as hashing passwords with bcrypt/argon2, sanitizing SQL queries with parameterized statements, configuring CORS/CSP headers, validating input with Zod, and setting up JWT tokens. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention, secure session management, and security hardening. For pre-built OAuth/SSO integrations or standalone security audits, consider a more specialized skill.4license: MIT5metadata:6  author: https://github.com/Jeffallan7  version: "1.1.0"8  domain: security9  triggers: security, authentication, authorization, encryption, OWASP, vulnerability, secure coding, password, JWT, OAuth10  role: specialist11  scope: implementation12  output-format: code13  related-skills: fullstack-guardian, security-reviewer, architecture-designer14---15 16# Secure Code Guardian17 18## Core Workflow19 201. **Threat model** — Identify attack surface and threats212. **Design** — Plan security controls223. **Implement** — Write secure code with defense in depth; see code examples below234. **Validate** — Test security controls with explicit checkpoints (see below)245. **Document** — Record security decisions25 26### Validation Checkpoints27 28After each implementation step, verify:29 30- **Authentication**: Test brute-force protection (lockout/rate limit triggers), session fixation resistance, token expiration, and invalid-credential error messages (must not leak user existence).31- **Authorization**: Verify horizontal and vertical privilege escalation paths are blocked; test with tokens belonging to different roles/users.32- **Input handling**: Confirm SQL injection payloads (`' OR 1=1--`) are rejected; confirm XSS payloads (`<script>alert(1)</script>`) are escaped or rejected.33- **Headers/CORS**: Validate with a security scanner (e.g., `curl -I`, Mozilla Observatory) that security headers are present and CORS origin allowlist is correct.34 35## Reference Guide36 37Load detailed guidance based on context:38 39| Topic | Reference | Load When |40|-------|-----------|-----------|41| OWASP | `references/owasp-prevention.md` | OWASP Top 10 patterns |42| Authentication | `references/authentication.md` | Password hashing, JWT |43| Input Validation | `references/input-validation.md` | Zod, SQL injection |44| XSS/CSRF | `references/xss-csrf.md` | XSS prevention, CSRF |45| Headers | `references/security-headers.md` | Helmet, rate limiting |46 47## Constraints48 49### MUST DO50- Hash passwords with bcrypt/argon2 (never MD5/SHA-1/unsalted hashes)51- Use parameterized queries (never string-interpolated SQL)52- Validate and sanitize all user input before use53- Implement rate limiting on auth endpoints54- Set security headers (CSP, HSTS, X-Frame-Options)55- Log security events (failed auth, privilege escalation attempts)56- Store secrets in environment variables or secret managers (never in source code)57 58### MUST NOT DO59- Store passwords in plaintext or reversibly encrypted form60- Trust user input without validation61- Expose sensitive data in logs or error responses62- Use weak or deprecated algorithms (MD5, SHA-1, DES, ECB mode)63- Hardcode secrets or credentials in code64 65## Code Examples66 67### Password Hashing (bcrypt)68 69```typescript70import bcrypt from 'bcrypt';71 72const SALT_ROUNDS = 12; // minimum 10; 12 balances security and performance73 74export async function hashPassword(plaintext: string): Promise<string> {75  return bcrypt.hash(plaintext, SALT_ROUNDS);76}77 78export async function verifyPassword(plaintext: string, hash: string): Promise<boolean> {79  return bcrypt.compare(plaintext, hash);80}81```82 83### Parameterized SQL Query (Node.js / pg)84 85```typescript86// NEVER: `SELECT * FROM users WHERE email = '${email}'`87// ALWAYS: use positional parameters88import { Pool } from 'pg';89const pool = new Pool();90 91export async function getUserByEmail(email: string) {92  const { rows } = await pool.query(93    'SELECT id, email, role FROM users WHERE email = $1',94    [email]  // value passed separately — never interpolated95  );96  return rows[0] ?? null;97}98```99 100### Input Validation with Zod101 102```typescript103import { z } from 'zod';104 105const LoginSchema = z.object({106  email: z.string().email().max(254),107  password: z.string().min(8).max(128),108});109 110export function validateLoginInput(raw: unknown) {111  const result = LoginSchema.safeParse(raw);112  if (!result.success) {113    // Return generic error — never echo raw input back114    throw new Error('Invalid credentials format');115  }116  return result.data;117}118```119 120### JWT Validation121 122```typescript123import jwt from 'jsonwebtoken';124 125const JWT_SECRET = process.env.JWT_SECRET!; // never hardcode126 127export function verifyToken(token: string): jwt.JwtPayload {128  // Throws if expired, tampered, or wrong algorithm129  const payload = jwt.verify(token, JWT_SECRET, {130    algorithms: ['HS256'],   // explicitly allowlist algorithm131    issuer: 'your-app',132    audience: 'your-app',133  });134  if (typeof payload === 'string') throw new Error('Invalid token payload');135  return payload;136}137```138 139### Securing an Endpoint — Full Flow140 141```typescript142import express from 'express';143import rateLimit from 'express-rate-limit';144import helmet from 'helmet';145 146const app = express();147app.use(helmet()); // sets CSP, HSTS, X-Frame-Options, etc.148app.use(express.json({ limit: '10kb' })); // limit payload size149 150const authLimiter = rateLimit({151  windowMs: 15 * 60 * 1000, // 15 minutes152  max: 10,                   // 10 attempts per window per IP153  standardHeaders: true,154  legacyHeaders: false,155});156 157app.post('/api/login', authLimiter, async (req, res) => {158  // 1. Validate input159  const { email, password } = validateLoginInput(req.body);160 161  // 2. Authenticate — parameterized query, constant-time compare162  const user = await getUserByEmail(email);163  if (!user || !(await verifyPassword(password, user.passwordHash))) {164    // Generic message — do not reveal whether email exists165    return res.status(401).json({ error: 'Invalid credentials' });166  }167 168  // 3. Authorize — issue scoped, short-lived token169  const token = jwt.sign(170    { sub: user.id, role: user.role },171    JWT_SECRET,172    { algorithm: 'HS256', expiresIn: '15m', issuer: 'your-app', audience: 'your-app' }173  );174 175  // 4. Secure response — token in httpOnly cookie, not body176  res.cookie('token', token, { httpOnly: true, secure: true, sameSite: 'strict' });177  return res.json({ message: 'Authenticated' });178});179```180 181## Output Templates182 183When implementing security features, provide:1841. Secure implementation code1852. Security considerations noted1863. Configuration requirements (env vars, headers)1874. Testing recommendations188 189## Knowledge Reference190 191OWASP Top 10, bcrypt/argon2, JWT, OAuth 2.0, OIDC, CSP, CORS, rate limiting, input validation, output encoding, encryption (AES, RSA), TLS, security headers

Related skills

Angular Architect

Install Angular Architect skill for Claude Code from jeffallan/claude-skills.

Api Designer

Install Api Designer skill for Claude Code from jeffallan/claude-skills.

Architecture Designer

Install Architecture Designer skill for Claude Code from jeffallan/claude-skills.