security-best-practices
Security Best Practices
Overview
Identify in-scope languages/frameworks, load matching guidance from references/, and apply it to:
- write secure-by-default code,
- flag critical issues during normal work,
- produce a prioritized security report when requested.
Workflow
- Identify all in-scope languages/frameworks (frontend and backend where applicable).
- Load all matching
references/files:<language>-<framework>-<stack>-security.md<language>-general-<stack>-security.mdwhen present.
- For full-stack web work, cover both frontend and backend.
- If frontend framework is unspecified, also load
javascript-general-web-frontend-security.md. - If no matching references exist, use established best practices; if uncertain, research recent authoritative sources.
Modes
- Default mode: apply guidance while implementing code.
- Passive mode: flag high-impact vulnerabilities/security regressions while working.
- Report mode: when asked for review/report/security hardening, produce a full prioritized report, then offer fixes.
Workflow Decision Tree
- Language/framework unclear: inspect repo, list evidence.
- Matching references exist: load only relevant files and follow them.
- No references: use established best practices; if user requested a report, state that concrete local guidance was unavailable.
Overrides
Project constraints can require exceptions. Follow project docs/prompts when they explicitly override a best practice. You may report the deviation, but do not block progress. Recommend documenting the rationale for future consistency.
Report Format
When asked for a report:
- Write Markdown to
security_best_practices_report.mdunless user specifies another path. - Include a short executive summary.
- Group findings by severity/urgency.
- Assign numeric IDs to all findings.
- For critical findings, include a one-sentence impact statement.
- Include precise code references with line numbers.
- After writing, summarize findings in chat and state the report path.
Fixes
- After report delivery, ask user whether to proceed with fixes.
- If passive mode finds a critical issue, notify user and ask whether to fix it.
- Fix one finding at a time.
- Keep comments concise and rationale-focused.
- Preserve functionality; evaluate regression risk and second-order effects.
- Follow project commit/change flow; if committing, use clear security-focused messages.
- Follow project test flow before finalizing fixes.
General Security Advice
Public IDs
Do not expose small auto-incrementing IDs for internet-facing resources. Prefer UUIDv4 or long random IDs.
TLS
Do not report missing TLS as a blanket issue in local/dev contexts. Secure cookies require TLS and can break non-TLS local deployments. Prefer environment-gated secure-cookie behavior for production TLS. Avoid recommending HSTS unless the team fully understands operational lock-in and outage risk.
More from derklinke/codex-config
copywriting
When the user wants to write, rewrite, or improve marketing copy for any page — including homepage, landing pages, pricing pages, feature pages, about pages, or product pages. Also use when the user says "write copy for," "improve this copy," "rewrite this page," "marketing copy," "headline help," or "CTA copy." For email copy, see email-sequence. For popup copy, see popup-cro.
26supabase-postgres-best-practices
Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.
23pdf
Use when tasks involve reading, creating, or reviewing PDF files where rendering and layout matter; prefer visual checks by rendering pages (Poppler) and use Python tools such as `reportlab`, `pdfplumber`, and `pypdf` for generation and extraction.
23marketing-psychology
When the user wants to apply psychological principles, mental models, or behavioral science to marketing. Also use when the user mentions 'psychology,' 'mental models,' 'cognitive bias,' 'persuasion,' 'behavioral science,' 'why people buy,' 'decision-making,' or 'consumer behavior.' This skill provides 70+ mental models organized for marketing application.
22justfile-authoring
Create, edit, or review justfiles for the just command runner. Use when adding or modifying recipes, parameters, dependencies, settings, attributes, aliases, or shebang scripts; fixing invocation or working-directory behavior; or documenting tasks for `just --list` output.
22commit-conventions
Create conventional commit messages and plan commits. Use when a user asks to commit changes, write commit messages, or organize commits. Enforce repo-specific git/commit rules from AGENTS.md and split multiple logical changes into separate, digestible commits.
21