security-engineer
Installation
SKILL.md
Security Engineer Skill
Application security, vulnerability assessment ve secure coding practices.
When to Use
- Security code review yaparken
- Vulnerability scanning sonuçlarını değerlendirirken
- Security best practices implementasyonu yaparken
- Authentication ve authorization geliştirirken
- Data encryption implementasyonu yaparken
- Security audit compliance kontrolleri yaparken
- OWASP Top 10 güvenlik açıklarını önlerken
- Input validation ve output encoding yaparken
Instructions
Görevler
- Security code reviews
- Vulnerability scanning
- Security best practices implementation
- Authentication ve authorization
- Data encryption
- Security audit compliance
- OWASP Top 10 prevention
Kurallar
- Input validation all user input
- Output encoding (prevent XSS)
- SQL injection prevention
- CSRF protection
- Secure headers (CSP, HSTS, X-Frame-Options)
- Secret management
- Regular security audits
OWASP Top 10 Prevention
1. Injection (SQL, NoSQL, Command)
- Use parameterized queries
- Validate and sanitize input
- Use ORMs where possible
2. Broken Authentication
- Implement proper session management
- Use secure password hashing (bcrypt)
- Implement MFA where possible
3. Sensitive Data Exposure
- Encrypt data at rest and in transit
- Use HTTPS everywhere
- Don't store sensitive data unnecessarily
4. XML External Entities (XXE)
- Disable XML external entity processing
- Use JSON instead of XML
5. Broken Access Control
- Implement proper authorization checks
- Use role-based access control (RBAC)
- Deny by default
6. Security Misconfiguration
- Disable debug mode in production
- Remove default credentials
- Keep dependencies updated
7. Cross-Site Scripting (XSS)
- Encode output
- Use Content Security Policy
- Sanitize user input
8. Insecure Deserialization
- Don't deserialize untrusted data
- Use type checking
- Implement integrity checks
9. Using Components with Known Vulnerabilities
- Keep dependencies updated
- Monitor security advisories
- Use npm audit / Snyk
10. Insufficient Logging & Monitoring
- Log security events
- Implement alerting
- Regular log review
Secure Headers Configuration
// next.config.ts
const securityHeaders = [
{
key: "X-DNS-Prefetch-Control",
value: "on",
},
{
key: "Strict-Transport-Security",
value: "max-age=63072000; includeSubDomains; preload",
},
{
key: "X-Frame-Options",
value: "DENY",
},
{
key: "X-Content-Type-Options",
value: "nosniff",
},
{
key: "X-XSS-Protection",
value: "1; mode=block",
},
{
key: "Referrer-Policy",
value: "strict-origin-when-cross-origin",
},
{
key: "Permissions-Policy",
value: "camera=(), microphone=(), geolocation=()",
},
{
key: "Content-Security-Policy",
value: `
default-src 'self';
script-src 'self' 'unsafe-eval' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self';
connect-src 'self' https://*.supabase.co;
frame-ancestors 'none';
`.replace(/\s+/g, " ").trim(),
},
];
export default {
async headers() {
return [
{
source: "/(.*)",
headers: securityHeaders,
},
];
},
};
Input Validation Example
import { z } from "zod";
import DOMPurify from "dompurify";
// Schema with strict validation
const userInputSchema = z.object({
name: z
.string()
.min(2, "İsim en az 2 karakter olmalı")
.max(100, "İsim en fazla 100 karakter olabilir")
.regex(/^[a-zA-ZğüşıöçĞÜŞİÖÇ\s]+$/, "Sadece harf ve boşluk kullanılabilir"),
email: z
.string()
.email("Geçerli bir e-posta adresi girin")
.max(255),
phone: z
.string()
.regex(/^\+?[0-9]{10,15}$/, "Geçerli bir telefon numarası girin")
.optional(),
});
// Sanitize HTML content
function sanitizeHtml(dirty: string): string {
return DOMPurify.sanitize(dirty, {
ALLOWED_TAGS: ["b", "i", "em", "strong", "p", "br"],
ALLOWED_ATTR: [],
});
}
// SQL injection prevention - use parameterized queries
async function getMemberById(id: number) {
// GOOD: Parameterized query
const { data, error } = await supabase
.from("members")
.select("*")
.eq("id", id)
.single();
// BAD: String concatenation (NEVER DO THIS)
// const query = `SELECT * FROM members WHERE id = ${id}`;
}
Authentication Security
import { createServerClient } from "@supabase/ssr";
import { cookies } from "next/headers";
// Secure session validation
export async function getSession() {
const cookieStore = await cookies();
const supabase = createServerClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
{
cookies: {
getAll() {
return cookieStore.getAll();
},
},
}
);
const { data: { session }, error } = await supabase.auth.getSession();
if (error || !session) {
return null;
}
// Verify session is not expired
const now = Math.floor(Date.now() / 1000);
if (session.expires_at && session.expires_at < now) {
return null;
}
return session;
}
// Rate limiting for auth endpoints
import { Ratelimit } from "@upstash/ratelimit";
import { Redis } from "@upstash/redis";
const ratelimit = new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(5, "1 m"), // 5 attempts per minute
});
export async function rateLimitCheck(identifier: string) {
const { success, remaining } = await ratelimit.limit(identifier);
if (!success) {
throw new Error("Çok fazla deneme yapıldı. Lütfen bekleyin.");
}
return { remaining };
}
Security Audit Checklist
- [ ] All user inputs are validated
- [ ] SQL injection prevention verified
- [ ] XSS prevention implemented
- [ ] CSRF tokens used for state-changing operations
- [ ] Authentication properly implemented
- [ ] Authorization checks on all endpoints
- [ ] Sensitive data encrypted
- [ ] Security headers configured
- [ ] Dependencies are up-to-date
- [ ] No secrets in code or logs
- [ ] Error messages don't expose sensitive info
- [ ] Rate limiting implemented
- [ ] Audit logging enabled
Related skills
More from diegosouzapw/awesome-omni-skill
music-assistant
Control Home Assistant Music Assistant - browse library, search, play, manage preferences and moods.
12agent-code-generator
Generates Agent definitions (.md files) based on user intent and standard templates.
6terragrunt-generator
Comprehensive toolkit for generating best practice Terragrunt configurations (HCL files) following current standards and conventions. Use this skill when creating new Terragrunt resources (root configs, child modules, stacks, environment setups), or building multi-environment Terragrunt projects.
6api contract sync manager
Validate OpenAPI, Swagger, and GraphQL schemas match backend implementation. Detect breaking changes, generate TypeScript clients, and ensure API documentation stays synchronized. Use when working with API spec files (.yaml, .json, .graphql), reviewing API changes, generating frontend types, or validating endpoint implementations.
5upstash/workflow typescript sdk skill
Lightweight guidance for using the Upstash Workflow SDK to define, trigger, and manage workflows. Use this Skill whenever a user wants to create workflow endpoints, run steps, or interact with the Upstash Workflow client.
5upstash/search typescript sdk
Entry point for documentation skills covering Upstash Search quick starts, core concepts, and TypeScript SDK usage. Use when a user asks how to get started, how indexing works, or how to use the TS client.
5