security-audit
Originally fromsickn33/antigravity-awesome-skills
SKILL.md
Resources
scripts/
validate-security-audit.sh
references/
security-patterns.md
Security Audit
This skill guides you through performing comprehensive security audits on codebases to identify vulnerabilities, insecure patterns, and configuration issues. Use this when conducting security reviews, preparing for production deployments, or responding to security incidents.
When to Use This Skill
- Conducting pre-deployment security reviews
- Responding to security incidents or vulnerability reports
- Performing periodic security audits on existing codebases
- Validating security controls after major feature additions
- Preparing for security compliance audits (SOC 2, ISO 27001)
- Onboarding new team members to security standards
Audit Methodology
A systematic security audit follows these phases:
Phase 1: Reconnaissance
Objective: Understand the application architecture, tech stack, and attack surface.
Use precision_grep to map the codebase:
precision_grep:
queries:
- id: auth_patterns
pattern: "(session|token|auth|login|password|jwt)"
glob: "**/*.{ts,tsx,js,jsx}"
- id: api_endpoints
pattern: "(router\\.(get|post|put|delete)|export.*GET|export.*POST)"
glob: "**/*.{ts,tsx,js,jsx}"
- id: database_queries
pattern: "(prisma\\.|db\\.|query\\(|execute\\()"
glob: "**/*.{ts,tsx,js,jsx}"
- id: env_usage
pattern: "process\\.env\\."
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: minimal
Identify critical components:
- Authentication flows (login, registration, password reset)
- Authorization middleware and guards
- API endpoints (public vs authenticated)
- Database access patterns
- File upload/download handlers
- Payment processing logic
- Admin panels or privileged operations
Phase 2: Authentication Audit
Objective: Verify secure authentication implementation.
Check for Weak Session Management
Search for session configuration issues:
precision_grep:
queries:
- id: session_config
pattern: "(session|cookie).*secure.*false|httpOnly.*false|sameSite.*(none|lax)"
glob: "**/*.{ts,tsx,js,jsx}"
- id: jwt_secrets
pattern: "jwt\\.sign.*secret.*[\"'][^\"']{1,20}[\"']|new.*JwtStrategy"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: standard
Common vulnerabilities:
- Session cookies without
httpOnlyflag (exposes to XSS) - Session cookies without
secureflag (allows HTTP transmission) - Weak JWT secrets (under 32 bytes entropy)
- Sessions without expiration (immortal sessions)
- No session invalidation on logout
Secure session example:
import { cookies } from 'next/headers';
export async function createSession(userId: string) {
const sessionToken = await generateSecureToken();
const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days
await db.session.create({
data: {
token: sessionToken,
userId,
expiresAt,
},
});
cookies().set('session', sessionToken, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
expires: expiresAt,
path: '/',
});
}
export async function invalidateSession(sessionToken: string) {
await db.session.delete({ where: { token: sessionToken } });
cookies().delete('session');
}
Check for Password Security Issues
Search for weak password handling:
precision_grep:
queries:
- id: password_storage
pattern: "password.*=.*(req\\.body|params|query)|password.*toString|password.*text"
glob: "**/*.{ts,tsx,js,jsx}"
- id: password_hashing
pattern: "(bcrypt|argon2|scrypt|pbkdf2)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: verbose
Common vulnerabilities:
- Passwords stored in plain text
- Weak hashing algorithms (MD5, SHA1, SHA256 without salt)
- No password complexity requirements
- Password hints or recovery questions
- Passwords logged or exposed in error messages
Secure password hashing:
import { hash, verify } from '@node-rs/argon2';
export async function hashPassword(password: string): Promise<string> {
return await hash(password, {
memoryCost: 19456, // 19 MB
timeCost: 2,
outputLen: 32,
parallelism: 1,
});
}
export async function verifyPassword(
hash: string,
password: string
): Promise<boolean> {
try {
return await verify(hash, password);
} catch {
return false;
}
}
Check for MFA Implementation
Search for MFA patterns:
precision_grep:
queries:
- id: mfa_usage
pattern: "(totp|authenticator|2fa|mfa|otp)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: minimal
MFA best practices:
- TOTP (Time-based One-Time Password) using authenticator apps
- Backup codes for account recovery
- SMS OTP as fallback (not primary)
- WebAuthn/FIDO2 for hardware keys
- Rate limiting on OTP verification
Phase 3: Authorization Audit
Objective: Ensure proper access controls and permission checks.
Check for Missing Authorization Checks
Identify API endpoints:
precision_grep:
queries:
- id: api_routes
pattern: "export async function (GET|POST|PUT|DELETE|PATCH)"
glob: "**/api/**/*.{ts,tsx,js,jsx}"
- id: auth_middleware
pattern: "(requireAuth|withAuth|authorize|checkPermission)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: locations
Manual review checklist:
- Do all authenticated endpoints verify user identity?
- Do endpoints check resource ownership (user can only access their own data)?
- Are admin routes protected by role checks?
- Is authorization checked server-side (not just client-side)?
Common vulnerabilities:
- Insecure Direct Object Reference (IDOR):
/api/users/123returns any user - Privilege escalation: Regular user can access admin functions
- Missing authorization: Endpoints rely on client-side checks only
Secure authorization pattern:
import { auth } from '@/lib/auth';
import { db } from '@/lib/db';
import { NextResponse } from 'next/server';
export async function GET(
req: Request,
{ params }: { params: { id: string } }
) {
const session = await auth();
if (!session) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
const post = await db.post.findUnique({
where: { id: params.id },
select: { id: true, title: true, content: true, authorId: true },
});
if (!post) {
return NextResponse.json({ error: 'Not found' }, { status: 404 });
}
// Check ownership
if (post.authorId !== session.user.id) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
}
return NextResponse.json(post);
}
Check for Role-Based Access Control (RBAC)
Search for role definitions:
precision_grep:
queries:
- id: role_checks
pattern: "(role.*===|role.*includes|hasRole|checkRole|permissions)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: matches
RBAC implementation:
type Role = 'user' | 'admin' | 'moderator';
type Permission =
| 'posts:read'
| 'posts:write'
| 'posts:delete'
| 'users:manage'
| 'settings:admin';
const rolePermissions: Record<Role, Permission[]> = {
user: ['posts:read', 'posts:write'],
moderator: ['posts:read', 'posts:write', 'posts:delete'],
admin: ['posts:read', 'posts:write', 'posts:delete', 'users:manage', 'settings:admin'],
};
export function hasPermission(role: Role, permission: Permission): boolean {
return rolePermissions[role].includes(permission);
}
export function requirePermission(permission: Permission) {
return async (req: Request) => {
const session = await auth();
if (!session || !hasPermission(session.user.role, permission)) {
throw new Error('Insufficient permissions');
}
};
}
Phase 4: Input Validation Audit
Objective: Prevent injection attacks and malicious input.
Check for SQL Injection
Search for unsafe database queries:
precision_grep:
queries:
- id: raw_sql
pattern: "(\\$executeRaw|\\$queryRaw|db\\.query|connection\\.query).*\\$\\{|.*`.*\\$\\{"
glob: "**/*.{ts,tsx,js,jsx}"
- id: string_concatenation
pattern: "(SELECT|INSERT|UPDATE|DELETE).*\\+.*req\\.(body|query|params)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: verbose
Common vulnerabilities:
- String concatenation in SQL queries
- Unsanitized user input in raw SQL
- Dynamic table/column names from user input
Secure database queries:
// UNSAFE - SQL injection vulnerable
export async function getUserByEmail(email: string) {
const query = `SELECT * FROM users WHERE email = '${email}'`;
return await db.$queryRawUnsafe(query);
}
// SAFE - Parameterized query
export async function getUserByEmail(email: string) {
return await db.user.findUnique({
where: { email },
});
}
// SAFE - Raw query with parameters
export async function searchUsers(query: string) {
return await db.$queryRaw`
SELECT id, name, email
FROM users
WHERE name ILIKE ${'%' + query + '%'}
LIMIT 20
`;
}
Check for XSS (Cross-Site Scripting)
Search for unsafe rendering:
precision_grep:
queries:
- id: dangerous_html
pattern: "(dangerouslySetInnerHTML|innerHTML|outerHTML)"
glob: "**/*.{tsx,jsx}"
- id: unescaped_output
pattern: "(v-html|\\[innerHTML\\])"
glob: "**/*.{vue,html}"
output:
format: locations
Common vulnerabilities:
- Rendering unsanitized user input with
dangerouslySetInnerHTML - Using
innerHTMLto insert user-provided content - Disabling auto-escaping in template engines
Secure rendering:
import DOMPurify from 'isomorphic-dompurify';
// UNSAFE - XSS vulnerable
export function UnsafeComment({ content }: { content: string }) {
return <div dangerouslySetInnerHTML={{ __html: content }} />;
}
// SAFE - Auto-escaped by React
export function SafeComment({ content }: { content: string }) {
return <div>{content}</div>;
}
// SAFE - Sanitized HTML if needed
export function SafeRichComment({ html }: { html: string }) {
const sanitized = DOMPurify.sanitize(html, {
ALLOWED_TAGS: ['p', 'br', 'strong', 'em', 'a'],
ALLOWED_ATTR: ['href'],
});
return <div dangerouslySetInnerHTML={{ __html: sanitized }} />;
}
Check for Command Injection
Search for shell command execution:
precision_grep:
queries:
- id: shell_exec
pattern: "(exec|spawn|execSync|spawnSync|execFile).*req\\.(body|query|params)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: verbose
Common vulnerabilities:
- User input passed directly to shell commands
- Unsanitized file paths in file operations
Secure command execution:
import { spawn } from 'child_process';
import { z } from 'zod';
const allowedCommands = ['convert', 'resize', 'compress'] as const;
const commandSchema = z.enum(allowedCommands);
// UNSAFE - Command injection vulnerable
export async function processImage(filename: string) {
exec(`convert ${filename} output.png`);
}
// SAFE - Validated input and array arguments
export async function processImage(command: string, filename: string) {
const validCommand = commandSchema.parse(command);
const sanitizedFilename = filename.replace(/[^a-zA-Z0-9._-]/g, '');
return new Promise((resolve, reject) => {
const child = spawn('imagemagick', [validCommand, sanitizedFilename, 'output.png']);
child.on('exit', (code) => {
if (code === 0) resolve(undefined);
else reject(new Error('Processing failed'));
});
});
}
Check for Path Traversal
Search for file operations:
precision_grep:
queries:
- id: file_operations
pattern: "(readFile|writeFile|unlink|stat|createReadStream).*req\\.(body|query|params)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: locations
Common vulnerabilities:
- User-controlled file paths without validation
- Missing path normalization (allowing
../sequences)
Secure file handling:
import path from 'path';
import fs from 'fs/promises';
const UPLOADS_DIR = path.join(process.cwd(), 'uploads');
// UNSAFE - Path traversal vulnerable
export async function getFile(filename: string) {
return await fs.readFile(`./uploads/${filename}`);
}
// SAFE - Path validation with defense against encoded traversals
export async function getFile(filename: string) {
// Decode URL-encoded sequences (e.g., %2e%2e%2f -> ../)
const decoded = decodeURIComponent(filename);
const safePath = path.normalize(decoded).replace(/^(\.\.\/)+/, '');
const fullPath = path.resolve(path.join(UPLOADS_DIR, safePath));
// Ensure resolved path is within UPLOADS_DIR (prevents prefix collision)
if (!fullPath.startsWith(UPLOADS_DIR + path.sep) && fullPath !== UPLOADS_DIR) {
throw new Error('Invalid file path');
}
return await fs.readFile(fullPath);
}
Phase 5: Data Protection Audit
Objective: Ensure sensitive data is encrypted and properly handled.
Check for Encryption at Rest
Search for sensitive data storage:
precision_grep:
queries:
- id: sensitive_fields
pattern: "(ssn|credit.*card|bank.*account|passport|drivers.*license)"
glob: "**/*.{ts,tsx,js,jsx,prisma}"
- id: encryption_usage
pattern: "(encrypt|decrypt|cipher|crypto)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: minimal
Encryption best practices:
- Use AES-256-GCM for symmetric encryption
- Store encryption keys in secure key management (AWS KMS, HashiCorp Vault)
- Never commit encryption keys to version control
- Rotate encryption keys periodically
Secure encryption implementation:
import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';
const ALGORITHM = 'aes-256-gcm';
const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY;
if (!ENCRYPTION_KEY) throw new Error('ENCRYPTION_KEY environment variable is required');
const KEY = Buffer.from(ENCRYPTION_KEY, 'hex'); // 32 bytes
export function encrypt(plaintext: string): string {
const iv = randomBytes(16);
const cipher = createCipheriv(ALGORITHM, KEY, iv);
let encrypted = cipher.update(plaintext, 'utf8', 'hex');
encrypted += cipher.final('hex');
const authTag = cipher.getAuthTag();
// Return: iv:authTag:ciphertext
return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
}
export function decrypt(ciphertext: string): string {
const [ivHex, authTagHex, encrypted] = ciphertext.split(':');
const iv = Buffer.from(ivHex, 'hex');
const authTag = Buffer.from(authTagHex, 'hex');
const decipher = createDecipheriv(ALGORITHM, KEY, iv);
decipher.setAuthTag(authTag);
let decrypted = decipher.update(encrypted, 'hex', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
}
Check for PII Handling
Search for personally identifiable information:
precision_grep:
queries:
- id: pii_fields
pattern: "(email|phone|address|name|dob|birth.*date)"
glob: "**/*.prisma"
- id: logging_pii
pattern: "(console\\.log|logger\\.(info|debug|warn)).*\\.(email|phone|ssn)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: locations
PII protection checklist:
- Minimize PII collection (only collect what's necessary)
- Redact PII in logs and error messages
- Implement data retention policies (auto-delete old data)
- Provide user data export (GDPR/CCPA compliance)
- Provide user data deletion (right to be forgotten)
Check for Secrets Management
Search for hardcoded secrets:
precision_grep:
queries:
- id: hardcoded_secrets
pattern: "(api.*key.*=.*[\"'][a-zA-Z0-9]{20,}|secret.*=.*[\"'][a-zA-Z0-9]{20,}|password.*=.*[\"'][^\"']{8,})"
glob: "**/*.{ts,tsx,js,jsx}"
- id: committed_env
pattern: ".*"
glob: ".env"
output:
format: verbose
Common vulnerabilities:
- API keys hardcoded in source code
.envfiles committed to version control- Secrets exposed in client-side code
- Default credentials not changed
Secure secrets management:
import { z } from 'zod';
const envSchema = z.object({
DATABASE_URL: z.string().url(),
NEXTAUTH_SECRET: z.string().min(32),
STRIPE_SECRET_KEY: z.string().startsWith('sk_'),
OPENAI_API_KEY: z.string().startsWith('sk-'),
});
export const env = envSchema.parse({
DATABASE_URL: process.env.DATABASE_URL,
NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
STRIPE_SECRET_KEY: process.env.STRIPE_SECRET_KEY,
OPENAI_API_KEY: process.env.OPENAI_API_KEY,
});
// Ensure .env is in .gitignore
// Use .env.example (without values) to document required variables
// Use secrets management in production (Vercel Env Vars, AWS Secrets Manager)
Phase 6: Dependency Audit
Objective: Identify and remediate vulnerable dependencies.
Run Automated Vulnerability Scanners
Use npm audit:
precision_exec:
commands:
- cmd: "npm audit --json"
timeout_ms: 30000
verbosity: standard
Check for outdated packages:
precision_exec:
commands:
- cmd: "npm outdated --json"
timeout_ms: 10000
verbosity: minimal
Prioritize fixes:
- Critical/High: Fix immediately before deployment
- Moderate: Fix within 30 days
- Low: Fix during regular maintenance
Check for Supply Chain Attacks
Verify lockfile integrity:
precision_exec:
commands:
- cmd: "npm audit signatures"
timeout_ms: 30000
verbosity: standard
Checklist:
- Commit lockfiles (
package-lock.json,yarn.lock,pnpm-lock.yaml) - Review dependency changes in PRs
- Use
npm ciin CI/CD (notnpm install) - Pin dependency versions in critical projects
- Use tools like Socket.dev for dependency analysis
Phase 7: API Security Audit
Objective: Secure API endpoints against common attacks.
Check for Rate Limiting
Search for rate limiting implementation:
precision_grep:
queries:
- id: rate_limit_usage
pattern: "(rateLimit|rate.*limiter|Ratelimit|upstash.*ratelimit)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: minimal
Implement rate limiting:
import { Ratelimit } from '@upstash/ratelimit';
import { Redis } from '@upstash/redis';
import { NextResponse } from 'next/server';
const ratelimit = new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(10, '10 s'), // 10 requests per 10 seconds
analytics: true,
});
export async function POST(req: Request) {
const ip = req.headers.get('x-forwarded-for') ?? 'unknown';
const { success, limit, reset, remaining } = await ratelimit.limit(ip);
if (!success) {
return NextResponse.json(
{ error: 'Too many requests' },
{
status: 429,
headers: {
'X-RateLimit-Limit': limit.toString(),
'X-RateLimit-Remaining': remaining.toString(),
'X-RateLimit-Reset': new Date(reset).toISOString(),
},
}
);
}
// Process request
return NextResponse.json({ success: true });
}
Check for CORS Configuration
Search for CORS setup:
precision_grep:
queries:
- id: cors_config
pattern: "(Access-Control-Allow-Origin|cors\\(|corsOptions)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: matches
Common vulnerabilities:
- Wildcard CORS (
Access-Control-Allow-Origin: *) with credentials - Overly permissive origin whitelist
- Missing preflight request handling
Secure CORS configuration:
import { NextResponse } from 'next/server';
const ALLOWED_ORIGINS = [
'https://example.com',
'https://app.example.com',
];
export async function GET(req: Request) {
const origin = req.headers.get('origin');
const headers: Record<string, string> = {
'Content-Type': 'application/json',
};
if (origin && ALLOWED_ORIGINS.includes(origin)) {
headers['Access-Control-Allow-Origin'] = origin;
headers['Access-Control-Allow-Credentials'] = 'true';
}
return NextResponse.json({ data: 'response' }, { headers });
}
Webhook Signature Verification
Best practice: Use crypto.timingSafeEqual() for comparing webhook signatures to prevent timing attacks:
import crypto from 'crypto';
export function verifyWebhookSignature(payload: string, signature: string, secret: string): boolean {
const expectedSignature = crypto.createHmac('sha256', secret).update(payload).digest('hex');
const signatureBuffer = Buffer.from(signature);
const expectedBuffer = Buffer.from(expectedSignature);
// Prevent timing attacks - constant-time comparison
if (signatureBuffer.length !== expectedBuffer.length) return false;
return crypto.timingSafeEqual(signatureBuffer, expectedBuffer);
}
CORS Preflight Handling
export async function OPTIONS(req: Request) {
const origin = req.headers.get('origin');
const headers: Record<string, string> = {
'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
'Access-Control-Allow-Headers': 'Content-Type, Authorization',
'Access-Control-Max-Age': '86400', // 24 hours
};
if (origin && ALLOWED_ORIGINS.includes(origin)) {
headers['Access-Control-Allow-Origin'] = origin;
headers['Access-Control-Allow-Credentials'] = 'true';
}
return new NextResponse(null, { status: 204, headers });
}
Check for CSRF Protection
Search for CSRF implementation:
precision_grep:
queries:
- id: csrf_tokens
pattern: "(csrf|csrfToken|xsrf)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: minimal
CSRF protection strategies:
- Use SameSite cookies (
sameSite: 'strict'or'lax') - Implement CSRF tokens for state-changing operations
- Require custom headers for API requests (e.g.,
X-Requested-With) - Verify
OriginandRefererheaders
Check for Content Security Policy (CSP)
Search for CSP headers:
precision_grep:
queries:
- id: csp_headers
pattern: "Content-Security-Policy"
glob: "**/*.{ts,tsx,js,jsx,json}"
output:
format: locations
Implement CSP:
// next.config.js
const ContentSecurityPolicy = `
default-src 'self';
// WARNING: 'unsafe-eval' and 'unsafe-inline' significantly weaken CSP. Use nonces or hashes instead.
script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.vercel-insights.com;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self' data:;
connect-src 'self' https://api.example.com;
frame-ancestors 'none';
base-uri 'self';
form-action 'self';
`;
module.exports = {
async headers() {
return [
{
source: '/(.*)',
headers: [
{
key: 'Content-Security-Policy',
value: ContentSecurityPolicy.replace(/\n/g, ''),
},
{
key: 'X-Frame-Options',
value: 'DENY',
},
{
key: 'X-Content-Type-Options',
value: 'nosniff',
},
{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin',
},
{
key: 'Permissions-Policy',
value: 'camera=(), microphone=(), geolocation=()',
},
],
},
];
},
};
Phase 8: Infrastructure Security Audit
Objective: Harden deployment infrastructure.
Check Docker Security
Search for Dockerfile:
precision_read:
files:
- path: "Dockerfile"
extract: content
verbosity: minimal
Docker security checklist:
- Use minimal base images (alpine, distroless)
- Run as non-root user
- Multi-stage builds to reduce attack surface
- No secrets in image layers (use build args)
- Pin base image versions (avoid
latesttag) - Scan images for vulnerabilities (
docker scan, Trivy)
Secure Dockerfile:
FROM node:20-alpine AS base
FROM base AS deps
RUN apk add --no-cache libc6-compat
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM base AS builder
WORKDIR /app
COPY /app/node_modules ./node_modules
COPY . .
RUN npm run build
FROM base AS runner
WORKDIR /app
ENV NODE_ENV=production
# Create non-root user
RUN addgroup --system --gid 1001 nodejs && \
adduser --system --uid 1001 nextjs
COPY /app/.next/standalone ./
COPY /app/.next/static ./.next/static
COPY /app/public ./public
USER nextjs
EXPOSE 3000
ENV PORT=3000
ENV HOSTNAME="0.0.0.0"
HEALTHCHECK \
CMD node -e "require('http').get('http://localhost:3000/api/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1))"
CMD ["node", "server.js"]
Check Environment Variable Security
Search for env file usage:
precision_glob:
patterns:
- ".env*"
- "*.env"
verbosity: count_only
Verify .gitignore:
precision_read:
files:
- path: ".gitignore"
extract: content
verbosity: minimal
Environment security checklist:
.envfiles in.gitignore- Use
.env.example(without values) to document variables - Use secrets management in production (not
.envfiles) - Separate environments (development, staging, production)
- Rotate secrets regularly
Check TLS Configuration
Verify HTTPS enforcement:
precision_grep:
queries:
- id: https_redirect
pattern: "(https|ssl|tls|hsts|Strict-Transport-Security)"
glob: "**/*.{ts,tsx,js,jsx,json}"
output:
format: minimal
TLS best practices:
- Enforce HTTPS (redirect HTTP to HTTPS)
- Enable HSTS (Strict-Transport-Security)
- Use TLS 1.2+ (disable TLS 1.0, 1.1)
- Use strong cipher suites
- Implement certificate pinning for mobile apps
Audit Reporting
Structure your audit findings in this format:
Executive Summary
## Security Audit Report
**Application:** [Name]
**Audit Date:** [Date]
**Auditor:** [Name/Team]
**Scope:** [Components audited]
### Summary
- Total findings: X
- Critical: Y
- High: Z
- Medium: A
- Low: B
### Risk Assessment
[Overall risk level: Critical/High/Medium/Low]
Detailed Findings
For each vulnerability:
### [SEVERITY] Finding #X: [Title]
**Category:** [Authentication/Authorization/Input Validation/etc.]
**Severity:** [Critical/High/Medium/Low]
**CWE:** [CWE-XXX if applicable]
**Description:**
[Clear description of the vulnerability]
**Location:**
- File: `path/to/file.ts`
- Lines: 42-58
**Impact:**
[What can an attacker do? What data is at risk?]
**Proof of Concept:**
```typescript
// Example exploit code or reproduction steps
Remediation:
// Secure code example
References:
- [OWASP Link]
- [CWE Link]
### Severity Classification
| Severity | Criteria |
|----------|----------|
| **Critical** | Remote code execution, authentication bypass, sensitive data exposure |
| **High** | Privilege escalation, SQL injection, XSS in critical flows |
| **Medium** | Information disclosure, CSRF, weak authentication |
| **Low** | Minor information leaks, missing security headers |
## Precision Tool Workflows
### Full Security Scan Workflow
Run a comprehensive security scan using precision_grep:
```yaml
precision_grep:
queries:
# Authentication issues
- id: weak_auth
pattern: "(password.*plain|password.*clear|md5|sha1)\\("
glob: "**/*.{ts,tsx,js,jsx}"
# SQL injection
- id: sql_injection
pattern: "(\\$queryRaw|\\$executeRaw).*\\$\\{|query.*\\+.*params"
glob: "**/*.{ts,tsx,js,jsx}"
# XSS
- id: xss
pattern: "(dangerouslySetInnerHTML|innerHTML|v-html)"
glob: "**/*.{tsx,jsx,vue}"
# Command injection
- id: command_injection
pattern: "(exec|spawn).*\\(.*req\\.(body|query)"
glob: "**/*.{ts,tsx,js,jsx}"
# Path traversal
- id: path_traversal
pattern: "(readFile|writeFile).*req\\.(body|query|params)"
glob: "**/*.{ts,tsx,js,jsx}"
# Hardcoded secrets
- id: hardcoded_secrets
pattern: "(api.*key.*=.*[\"'][a-zA-Z0-9]{20,}|sk_live)"
glob: "**/*.{ts,tsx,js,jsx}"
# Insecure cookies
- id: insecure_cookies
pattern: "(httpOnly.*false|secure.*false|sameSite.*none)"
glob: "**/*.{ts,tsx,js,jsx}"
output:
format: locations
Batch Security Audit
Use discover + batch for efficient auditing:
discover:
queries:
- id: auth_files
type: glob
patterns: ["**/auth/**/*.{ts,tsx,js,jsx}", "**/api/auth/**/*.{ts,tsx,js,jsx}"]
- id: api_routes
type: glob
patterns: ["**/api/**/*.{ts,tsx,js,jsx}"]
- id: db_files
type: grep
pattern: "(prisma|db|database)"
glob: "**/*.{ts,tsx,js,jsx}"
verbosity: files_only
Then batch read and analyze:
precision_read:
files: [/* Use discovered files */]
extract: symbols
symbol_filter: ["function", "class"]
verbosity: standard
Automated Security Testing
Integrate security checks into CI/CD:
# .github/workflows/security.yml
name: Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run npm audit
run: npm audit --audit-level=high
- name: Run Snyk security scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
severity: 'CRITICAL,HIGH'
- name: Run OWASP ZAP scan
uses: zaproxy/action-baseline@v0.7.0
with:
target: 'http://localhost:3000'
Common Security Mistakes
1. Trusting Client-Side Validation
Problem: Relying on client-side checks for security.
Solution: Always validate on the server.
// UNSAFE - Client-side only
export function ClientForm() {
const [email, setEmail] = useState('');
const isValid = email.includes('@');
return (
<form onSubmit={() => fetch('/api/subscribe', {
method: 'POST',
body: JSON.stringify({ email }),
})}>
<input value={email} onChange={(e) => setEmail(e.target.value)} />
<button disabled={!isValid}>Subscribe</button>
</form>
);
}
// SAFE - Server-side validation
export async function POST(req: Request) {
const body = await req.json();
const schema = z.object({
email: z.string().email(),
});
const result = schema.safeParse(body);
if (!result.success) {
return NextResponse.json(
{ error: result.error.flatten() },
{ status: 400 }
);
}
// Process valid email
await subscribeUser(result.data.email);
return NextResponse.json({ success: true });
}
2. Exposing Sensitive Data in API Responses
Problem: Returning more data than needed.
Solution: Use explicit select to limit fields.
// UNSAFE - Returns password hash
export async function GET(req: Request) {
const user = await db.user.findUnique({ where: { id: userId } });
return NextResponse.json(user);
}
// SAFE - Excludes sensitive fields
export async function GET(req: Request) {
const user = await db.user.findUnique({
where: { id: userId },
select: {
id: true,
name: true,
email: true,
avatar: true,
// passwordHash excluded
},
});
return NextResponse.json(user);
}
3. Logging Sensitive Data
Problem: Writing PII or secrets to logs.
Solution: Redact sensitive data before logging.
// UNSAFE - Logs password
export async function login(email: string, password: string) {
console.log('Login attempt:', { email, password });
// ...
}
// SAFE - Redacts password
export async function login(email: string, password: string) {
console.log('Login attempt:', { email, password: '[REDACTED]' });
// ...
}
Post-Audit Actions
After completing the audit:
- Prioritize findings by severity and exploitability
- Create tickets for each finding (link to audit report)
- Fix critical/high issues immediately
- Run validation script to verify remediations
- Schedule follow-up audit after fixes
- Update security documentation with lessons learned
- Train team on common vulnerabilities found
Validation
Run the validation script after audit remediation:
./scripts/validate-security-audit.sh /path/to/project
The script checks for:
- Common vulnerability patterns
- Secure authentication implementation
- Input validation coverage
- Secrets management
- Security headers configuration
- Dependency vulnerabilities
Further Reading
Weekly Installs
50
Repository
mgd34msu/goodvi…s-pluginGitHub Stars
5
First Seen
Feb 17, 2026
Security Audits
Installed on
opencode50
github-copilot50
codex50
kimi-cli50
gemini-cli50
amp50