web-security
Web Security Best Practices
Application-level security guidance for WordPress (PHP), Laravel (PHP), Django (Python), FastAPI (Python), and Plotly Dash (Python/Flask).
Important
- Always treat user input as untrusted, including callback inputs in Dash
- Use framework security features instead of custom implementations
- Validate server-side even when client-side validation exists
- Fail securely — errors must not expose system details
- Keep dependencies updated and audited
OWASP Top 10 (2021)
The current OWASP Top 10 categories that this skill addresses:
- A01 Broken Access Control — See references/authentication-csrf.md
- A02 Cryptographic Failures — See references/secure-data-handling.md
- A03 Injection — See references/sql-injection.md, references/xss-prevention.md
- A04 Insecure Design — Apply defense in depth throughout
- A05 Security Misconfiguration — See references/security-headers.md, references/environment-config.md
- A06 Vulnerable Components — See references/security-testing.md (dependency auditing)
- A07 Authentication Failures — See references/authentication-csrf.md, references/session-cookie-jwt.md
- A08 Data Integrity Failures — See references/secure-data-handling.md
- A09 Logging Failures — See references/environment-config.md
- A10 SSRF — See references/api-security.md
When to Consult Each Reference
| User is working on... | Load this reference |
|---|---|
| HTML output, templates, rendering user data | references/xss-prevention.md |
| Database queries, search, filters | references/sql-injection.md |
| Login, registration, forms, permissions, CSRF | references/authentication-csrf.md |
| HTTP headers, CORS, CSP, HSTS, iframe protection | references/security-headers.md |
| Sessions, cookies, JWT tokens, "remember me" | references/session-cookie-jwt.md |
| File uploads, downloads, media handling | references/file-upload-security.md |
| REST APIs, rate limiting, tokens, SSRF | references/api-security.md |
| PII, encryption, payment data, logging | references/secure-data-handling.md |
| .env files, secrets, debug mode, deployment | references/environment-config.md |
| Security testing, scanning, code review | references/security-testing.md |
Code Review Quick Checklist
When reviewing any code for security, verify all of the following:
Input/Output: All user input sanitized before storage. All output escaped for context (HTML, JS, SQL, URL). No raw echo/print of user data.
Database: All queries use prepared statements, ORM, or parameterized queries. No string concatenation or f-strings in SQL.
Auth/Access: CSRF tokens on all state-changing forms. Permission checks before sensitive operations. No passwords or tokens in logs.
Headers: CSP, HSTS, X-Content-Type-Options, X-Frame-Options all set. CORS restricted to required origins only.
Sessions/Cookies: HttpOnly, Secure, SameSite flags on cookies. Session regenerated after login. JWT expiration enforced.
Files: Upload type, size, and content validated server-side. Filenames sanitized. Files stored outside web root.
API: Rate limiting on all public endpoints. Authentication on sensitive endpoints. Input validation on all parameters.
Config: No hardcoded secrets. Debug mode off in production. Error messages generic in production.
Dependencies: No known vulnerabilities in packages. Lock files committed. Audit tools configured.
Common Anti-Patterns
- Trusting client-side validation alone — always validate server-side
- Using blocklists instead of allowlists — prefer allowing known-good
- Rolling your own crypto or auth — use proven libraries
- Exposing detailed error messages in production
- Ignoring framework security features that are available
- Security through obscurity — hiding things is not protecting them
- Not updating dependencies — known vulnerabilities get exploited fast
- Storing sensitive data in client-accessible storage (localStorage, dcc.Store)
More from oiler/claude-skills
wordpress-themes
WordPress custom theme development specialist focused on clean, maintainable code following VIP standards. Includes modular theme structure, dart-sass via Homebrew, proper script/style enqueueing, template parts organization, text domain management, and comprehensive security practices (escaping, sanitization, file paths).
17plotly-dash-expert
Expert guidance for building Plotly Dash web applications. Use when user asks to create dashboards, interactive tables, data browsers, Dash apps, or mentions "Dash", "plotly", "DataTable", "dash callbacks", "dcc", or "dash_table". Covers app structure, callbacks, layouts, DataTable with server-side paging/sorting/filtering, database integration (SQLite/Postgres), multi-page apps, and self-hosted deployment with gunicorn/nginx. Focused on open-source Dash (not Dash Enterprise).
15python-expert
Expert guidance for Python programming. Use when user asks to write Python code, create scripts, build web apps with Django/Flask/FastAPI, run one-off tools with uv, debug Python errors, optimize performance, or asks about Python best practices, packaging, testing, or async patterns. Covers modern Python 3.10+ idioms, uv-based scripting, Django, Flask, FastAPI, data science, testing, and production deployment.
8css-specialist
Expert CSS guidance for developers with strong fundamentals who need help with modern CSS features (2020-2025) and advanced animations/visual effects. Applies clean, semantic CSS patterns with minimal utility classes and shallow inheritance.
6wordpress-blocks
WordPress custom Gutenberg block development with server-side PHP rendering. Includes block registration patterns, media upload integration, multiple item blocks, proper escaping/sanitization, and editor UI best practices. Maintains separation of concerns where editors control content while developers control design.
4