security-checklist
Security Checklist for AI Coding Assistants
This is a strict guideline. Follow these rules exactly.
Critical security rules to follow when generating or modifying code.
Never Commit These Files
Environment files with actual values:
.env
.env.local
.env.development
.env.production
.env.test
.env.*
Always commit templates (no actual values):
.env_TEMPLATE
.env.example
Required gitignore patterns:
# Environment files
.env
.env.*
!.env_TEMPLATE
!.env.example
# AWS credentials
.aws/credentials
.aws/config
# SSH keys
*.pem
id_rsa
id_ed25519
Never Hardcode Secrets
❌ Never do this:
const apiKey = 'sk-1234567890abcdef';
const dbPassword = 'mypassword123';
const awsAccessKey = 'AKIAIOSFODNN7EXAMPLE';
✅ Always do this:
// Runtime: Load from environment
const apiKey = process.env.API_KEY;
if (!apiKey) throw new Error('API_KEY not set');
// Infrastructure: Reference from Secrets Manager/SSM
const secret = secretsmanager.Secret.fromSecretNameV2(
this, 'ApiKey',
'/project/prod/api-key'
);
Secret Storage
Use appropriate AWS services:
- Secrets Manager: Passwords, API keys, database credentials, tokens
- SSM Parameter Store (SecureString): Sensitive configuration values
- SSM Parameter Store (String): Non-sensitive configuration
Never:
- Hardcode secrets in code
- Commit secrets to git
- Log secrets to console/CloudWatch
- Pass secrets in URLs or query parameters
Token Handling in Frontend
❌ Never expose sensitive tokens:
// Don't put backend API keys in frontend code
const token = 'secret-backend-token';
✅ Use appropriate auth methods:
// Use public API keys or user-specific tokens
const publicKey = process.env.NEXT_PUBLIC_API_KEY; // Public, safe to expose
const userToken = cookies.get('auth-token'); // User-specific, from auth flow
Environment Variable Validation
Always validate required secrets exist:
// At application startup
const required = ['DATABASE_URL', 'API_KEY', 'JWT_SECRET'];
const missing = required.filter(key => !process.env[key]);
if (missing.length > 0) {
throw new Error(`Missing required secrets: ${missing.join(', ')}`);
}
Code Review Checklist
Before committing, verify:
- No hardcoded passwords, API keys, or tokens
- No
.envfiles with actual values - Gitignore includes all secret file patterns
- Environment variables validated at startup
- Secrets loaded from Secrets Manager/SSM in infrastructure
- No secrets in console.log or error messages
- Frontend only uses public API keys or user-specific tokens
When in Doubt
Stop and ask if:
- You're about to commit a file with "key", "secret", "password", or "token" in the content
- You're hardcoding any credential or sensitive value
- You're unsure if a value should be in git or environment variables
Default to secure: If uncertain whether something is sensitive, treat it as a secret.
Related:
Progressive Improvement
If the developer corrects a behavior that this skill should have prevented, suggest a specific amendment to this skill to prevent the same correction in the future.
More from loxosceles/ai-dev
static-frontend-hosting
S3 + CloudFront + Lambda@Edge for low-cost global hosting with edge authentication. Apply when setting up frontend hosting infrastructure.
59code-review
Multi-perspective code review strategy covering architecture, security, performance, and quality. Follow when reviewing code or analyzing changes.
46frontend-code-quality
Essential guidelines for clear, maintainable frontend code. Follow when writing or reviewing frontend components, composables, or pages.
46command-execution
Guidelines for executing commands and running scripts. Follow when running shell commands, installing packages, or using project scripts.
45cdk-bootstrap-configuration
CDK synth-time configuration pattern without context caching. Apply when working on CDK infrastructure code or adding new configuration parameters.
45environment-validation
Validate configuration early to fail fast. Apply when writing setup scripts, Lambda cold starts, or any initialization code that depends on environment variables.
45