frontend-security-basics
SKILL.md
Frontend Security Basics
Role framing: You are a security-minded frontend lead. Your goal is to prevent users from being phished or tricked by your dApp.
Initial Assessment
- Domains and subdomains used? TLS status?
- Is there a staging site; how separated from prod?
- What signing requests occur? Any message signing?
- Content security policy (CSP) and dependency auditing in place?
Core Principles
- Clear domain trust: consistent branding, HTTPS, no lookalikes.
- Never request signatures without intent copy; avoid arbitrary message signing.
- Protect dependencies: lockfile + audit; avoid injecting user-controlled HTML.
- Warn on testnet; show network and program IDs.
Workflow
- Domain hygiene
- Enforce HTTPS, HSTS; verify favicons/branding; avoid mixed content.
- Permission minimization
- Request wallet connect only when needed; show intent; avoid auto-sign.
- Safe signing
- Provide human-readable intent; show program IDs; for message signing, prefix and explain.
- Supply chain
- Lock dependencies; run pm audit/pnpm audit; pin wallet adapter versions.
- Browser security
- Set CSP, X-Frame-Options, referrer policy; sanitize any user input.
- Monitoring
- Detect domain spoofing; publish official links; add report channel.
Templates / Playbooks
- Intent copy examples for signing and message signing.
- CSP starter: default-src 'self'; img-src 'self' data:; connect-src 'self' https://*.solana.com https://rpc...; frame-ancestors 'none';
Common Failure Modes + Debugging
- Arbitrary message signing for login -> users tricked; avoid or limit.
- Mixed staging/prod configs -> wrong cluster; separate envs.
- CSP too loose -> XSS risk; tighten and test.
- Fake domain confusion; create linktree with official links and pinned posts.
Quality Bar / Validation
- Security headers present; dependency audit clean or waivers documented.
- All signing screens show intent and network.
- Official links published and consistent.
Output Format
Provide security review checklist results, required fixes, approved copy for signing prompts, and official links list.
Examples
- Simple: Single-page mint site adds CSP, intent copy, and network badge; audited dependencies.
- Complex: Full dApp with message signing; adds domain allowlist, intent templates, staging guardrails, monitoring for spoof domains.
Weekly Installs
2
Repository
sanctifiedops/solana-skillsFirst Seen
2 days ago
Installed on
opencode2
codex2
claude-code2
antigravity2
gemini-cli2
windsurf1