Security Patterns

Quick Guide: Managing secrets? Use .env.local (gitignored), CI secrets (GitHub/Vercel), rotate quarterly. Dependency security? Enable Dependabot, audit weekly, patch critical vulns within 24hrs. XSS prevention? React escapes by default - never use dangerouslySetInnerHTML with user input. Sanitize with DOMPurify if needed. Set CSP headers. CODEOWNERS? Require security team review for auth/, .env.example, workflows.

Detailed Resources:

For code examples, see examples/core.md (essential patterns)
For decision frameworks and anti-patterns, see reference.md

Additional Examples:

examples/xss-prevention.md - XSS protection, DOMPurify, CSP headers
examples/dependency-security.md - Dependabot, CI security checks
examples/access-control.md - CODEOWNERS, rate limiting, branch protection

<critical_requirements>

CRITICAL: Before Using This Skill

All code must follow project conventions in CLAUDE.md (kebab-case, named exports, import ordering, import type, named constants)

(You MUST NEVER commit secrets to the repository - use .env.local and CI secrets only)

(You MUST sanitize ALL user input before rendering HTML - use DOMPurify with dangerouslySetInnerHTML)

(You MUST patch critical/high vulnerabilities within 24 hours - use Dependabot for automated scanning)

(You MUST use HttpOnly cookies for authentication tokens - NEVER localStorage or sessionStorage)

(You MUST configure CODEOWNERS for security-sensitive files - require security team approval)

</critical_requirements>

Auto-detection: security, secrets management, XSS prevention, CSRF protection, Dependabot, vulnerability scanning, authentication, DOMPurify, CSP headers, CODEOWNERS, HttpOnly cookies

When to use:

Managing secrets securely (never commit, use .env.local and CI secrets)
Setting up Dependabot for automated vulnerability scanning
Preventing XSS attacks (React escaping, DOMPurify, CSP headers)
Configuring CODEOWNERS for security-sensitive code
Implementing secure authentication and token storage

When NOT to use:

For general code quality (use reviewing skill instead)
For performance optimization (use performance skills)
For CI/CD pipeline setup (use ci-cd skill - security patterns here are for code, not pipelines)
When security review would delay critical hotfixes (document for follow-up)

Key patterns covered:

Never commit secrets (.gitignore, CI secrets, rotation policies quarterly)
Automated dependency scanning with Dependabot (critical within 24h)
XSS prevention (React's built-in escaping, DOMPurify for HTML, CSP headers)
CSRF protection with tokens and SameSite cookies
CODEOWNERS for security-sensitive areas (.env.example, auth code, workflows)
Secure token storage (HttpOnly cookies, in-memory access tokens)

Philosophy

Security is not a feature - it's a foundation. Every line of code must be written with security in mind. Defense in depth means multiple layers of protection, so if one fails, others catch the attack.

When to use security patterns:

Always - security is not optional
When handling user input (sanitize and validate)
When managing secrets (environment variables, rotation)
When storing authentication tokens (HttpOnly cookies)
When setting up CI/CD (vulnerability scanning, CODEOWNERS)

When NOT to compromise:

Never skip HTTPS in production
Never trust client-side validation alone
Never commit secrets to repository
Never use localStorage for sensitive tokens
Never bypass security reviews for critical code

Core principles:

Least privilege: Grant minimum necessary access
Defense in depth: Multiple layers of security
Fail securely: Default to deny, not allow
Don't trust user input: Always validate and sanitize
Assume breach: Plan for when (not if) attacks happen

Core Patterns

Pattern 1: Secret Management

Never commit secrets to the repository. Use environment variables in .env.local (gitignored) for development, and CI/CD secret managers for production. Rotate secrets quarterly or on team member departure.

What Are Secrets

Secrets include: API keys, tokens, passwords, database credentials, private keys, certificates, OAuth client secrets, encryption keys, JWT secrets.

Where to Store Secrets

Development:

.env.local (gitignored)
Per-developer local overrides
Never committed to repository

CI/CD:

GitHub Secrets
Vercel Environment Variables
GitLab CI/CD Variables
Other platform secret managers

Production:

Environment variables (injected by platform)
Secret management services (AWS Secrets Manager, HashiCorp Vault)
Never hardcoded in code

Rotation Policies

Note: NIST SP 800-63-4 (2025) recommends against mandatory periodic password rotation for users. Instead, use event-based rotation (on compromise, team member departure, or security incident). Periodic rotation is still recommended for service accounts and privileged access.

Secret Type	Rotation Frequency
Service account credentials	90 days (quarterly)
API keys	365 days (annually) or on compromise
User passwords	On compromise only (NIST 2025 guidance)
Privileged account passwords	90 days (quarterly)
Certificates	30 days warning before expiry
All secrets	Immediately on team member departure

See examples/core.md for code examples.

Pattern 2: Dependency Security

Enable automated vulnerability scanning with Dependabot to catch security issues in dependencies. Patch critical vulnerabilities within 24 hours, high within 1 week, medium within 1 month.

Update Policies

Security updates:

Critical vulnerabilities - Immediate (within 24 hours)
High vulnerabilities - Within 1 week
Medium vulnerabilities - Within 1 month
Low vulnerabilities - Next regular update cycle

Regular updates:

Patch updates (1.2.3 -> 1.2.4) - Auto-merge if tests pass
Minor updates (1.2.0 -> 1.3.0) - Review changes, test, merge
Major updates (1.0.0 -> 2.0.0) - Plan migration, test thoroughly

See examples/dependency-security.md for Dependabot configuration and CI security check scripts.

Pattern 3: XSS Prevention

React automatically escapes user input by default. Never use dangerouslySetInnerHTML with user input unless sanitized with DOMPurify. Configure Content Security Policy (CSP) headers to block unauthorized scripts.

React's Built-in Protection

React escapes all text content automatically. Only dangerouslySetInnerHTML bypasses this protection.

DOMPurify Sanitization

When HTML rendering is required, use DOMPurify with a whitelist of allowed tags and attributes.

Content Security Policy

Configure CSP headers to prevent unauthorized script execution even if XSS occurs.

See examples/xss-prevention.md for React, DOMPurify, and CSP code examples.

OWASP Top 10 2025 Coverage

This skill addresses the following OWASP Top 10:2025 categories:

OWASP Category	Coverage
A01: Broken Access Control	CODEOWNERS, branch protection, rate limiting
A02: Security Misconfiguration	CSP headers, security headers, Dependabot
A03: Software Supply Chain Failures (NEW)	Dependabot, CI security audits, dependency review
A04: Cryptographic Failures	HttpOnly/Secure cookies, HTTPS enforcement
A05: Injection (includes XSS)	DOMPurify, React auto-escaping, CSP
A07: Identification & Auth Failures	HttpOnly cookies, session management
A09: Security Logging & Alerting	(See observability skill)
A10: Mishandling Exceptional Conditions (NEW)	Fail securely principle, error handling

Integration Guide

Works with:

React: Built-in XSS protection via auto-escaping, use DOMPurify for rich HTML
Next.js: Configure security headers in middleware or next.config.js
GitHub: Dependabot for automated vulnerability scanning, CODEOWNERS for code review
Vercel/CI: Store secrets in environment variables, never commit
axios: Interceptors for automatic CSRF token injection
DOMPurify: Sanitize user HTML before rendering with dangerouslySetInnerHTML

Security layers:

Secrets: .env.local (dev) -> CI secrets (GitHub/Vercel) -> Environment variables (production)
XSS: React auto-escaping -> DOMPurify sanitization -> CSP headers
CSRF: Tokens -> SameSite cookies -> Server-side validation
Dependencies: Dependabot -> CI security audit -> Manual review

<critical_reminders>

CRITICAL REMINDERS

All code must follow project conventions in CLAUDE.md