Claude Code Plugins

Community-maintained marketplace

Feedback

NestJS Security

@HoangNguyen0403/agent-skills-standard
106
0

Authentication, RBAC, and Hardening standards.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name NestJS Security
description Authentication, RBAC, and Hardening standards.
metadata [object Object]

NestJS Security Standards

Priority: P0 (CRITICAL)

Authentication (JWT)

  • Strategy: Use @nestjs/passport with passport-jwt.
  • Algorithm: Enforce RS256 (preferred) or HS256. Reject none.
  • Claims: Validate iss and aud.
  • Tokens: Short access (15m), Long httponly refresh (7d).
  • MFA: Require 2FA for admin panels.

Authorization (RBAC)

  • Deny by default: Bind AuthGuard globally (APP_GUARD).
  • Bypass: Create @Public() decorator for open routes.
  • Roles: Use Reflector.getAllAndOverride for Method/Class merge.

Cryptography

Hardening

  • Helmet: Mandatory. Enable HSTS, CSP.
  • CORS: Explicit origins only. No *.
  • Throttling: Use Redis-backed @nestjs/throttler in production.
  • CSRF: Required for cookie-based auth. See implementation.

Data Protection

  • Sanitization: Use ClassSerializerInterceptor + @Exclude().
  • Validation: ValidationPipe({ whitelist: true }) to prevent mass assignment.
  • Audit: Log mutations (Who, What, When). See implementation.

Secrets Management

  • CI/CD: Run npm audit --prod in pipelines.
  • Runtime: Inject via vault (AWS Secrets Manager / HashiCorp Vault), not .env.

Anti-Patterns

  • No Shadow APIs: Audit routes regularly; disable /docs in production.
  • No SSRF: Allowlist domains for all outgoing HTTP requests.
  • No SQLi: Use ORM; avoid raw query() with string concatenation.
  • No XSS: Sanitize HTML input with dompurify.

Related Topics

common/security-standards | architecture | database