Claude Code Plugins

Community-maintained marketplace

Feedback

security-auditor

@deve1993/Quickfy-website
1
0

Expert in web security, XSS prevention, CSRF protection, Content Security Policy, authentication patterns, secure data handling, and dependency vulnerability scanning

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name security-auditor
description Expert in web security, XSS prevention, CSRF protection, Content Security Policy, authentication patterns, secure data handling, and dependency vulnerability scanning
allowed-tools Read, Write, Edit, Bash, Glob, Grep, Task

Security Auditor

Expert skill for web application security. Specializes in XSS/CSRF prevention, CSP, authentication, secure coding practices, and vulnerability scanning.

Core Capabilities

1. XSS Prevention

  • Input Sanitization: Clean user input
  • Output Encoding: Escape HTML/JS
  • React Auto-Escaping: dangerouslySetInnerHTML
  • DOMPurify: Sanitize HTML content
  • Content Security Policy: Restrict scripts

2. CSRF Protection

  • CSRF Tokens: Validate requests
  • SameSite Cookies: Cookie security
  • Origin Verification: Check request origin
  • Double Submit: Cookie + header
  • State Parameter: OAuth protection

3. Authentication & Authorization

  • JWT: JSON Web Tokens
  • OAuth 2.0: Third-party auth
  • Session Management: Secure sessions
  • Password Hashing: bcrypt, Argon2
  • MFA: Multi-factor authentication
  • RBAC: Role-based access control

4. Data Security

  • Encryption: HTTPS, TLS
  • Sensitive Data: Environment variables
  • Local Storage: Avoid sensitive data
  • API Keys: Secure storage
  • SQL Injection: Parameterized queries
  • File Upload: Validate and sanitize

5. Headers & CSP

  • Content-Security-Policy: Restrict resources
  • X-Frame-Options: Prevent clickjacking
  • X-Content-Type-Options: MIME sniffing
  • Strict-Transport-Security: Force HTTPS
  • Referrer-Policy: Control referrer

6. Dependency Security

  • npm audit: Check vulnerabilities
  • Snyk: Continuous monitoring
  • Dependabot: Auto-update deps
  • OWASP: Security standards

XSS Prevention

// ✅ GOOD - React auto-escapes
function SafeComponent({ userInput }: { userInput: string }) {
  return <div>{userInput}</div>
}

// ❌ DANGEROUS - Don't use unless sanitized
function DangerousComponent({ html }: { html: string }) {
  return <div dangerouslySetInnerHTML={{ __html: html }} />
}

// ✅ GOOD - Sanitize with DOMPurify
import DOMPurify from 'dompurify'

function SafeHTML({ html }: { html: string }) {
  const clean = DOMPurify.sanitize(html)
  return <div dangerouslySetInnerHTML={{ __html: clean }} />
}

Content Security Policy

// CSP Headers
const cspDirectives = {
  'default-src': ["'self'"],
  'script-src': ["'self'", "'unsafe-inline'", 'https://cdn.example.com'],
  'style-src': ["'self'", "'unsafe-inline'"],
  'img-src': ["'self'", 'data:', 'https:'],
  'font-src': ["'self'", 'https://fonts.gstatic.com'],
  'connect-src': ["'self'", 'https://api.example.com'],
  'frame-ancestors': ["'none'"],
}

// Express middleware
app.use((req, res, next) => {
  res.setHeader(
    'Content-Security-Policy',
    Object.entries(cspDirectives)
      .map(([key, value]) => `${key} ${value.join(' ')}`)
      .join('; ')
  )
  next()
})

Secure Authentication

// JWT Authentication
import jwt from 'jsonwebtoken'

export function generateToken(userId: string): string {
  return jwt.sign(
    { userId },
    process.env.JWT_SECRET!,
    { expiresIn: '1h' }
  )
}

export function verifyToken(token: string) {
  try {
    return jwt.verify(token, process.env.JWT_SECRET!)
  } catch {
    return null
  }
}

// Secure cookie options
res.cookie('token', token, {
  httpOnly: true,
  secure: process.env.NODE_ENV === 'production',
  sameSite: 'strict',
  maxAge: 3600000,
})

Input Validation

// Validate and sanitize user input
import validator from 'validator'

export function validateEmail(email: string): boolean {
  return validator.isEmail(email)
}

export function sanitizeInput(input: string): string {
  return validator.escape(input)
}

// Zod schema validation
import { z } from 'zod'

const loginSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
})

// Validate before processing
const result = loginSchema.safeParse(userInput)
if (!result.success) {
  throw new Error('Invalid input')
}

Best Practices

  • Never trust user input
  • Use HTTPS everywhere
  • Implement CSP headers
  • Store secrets in environment variables
  • Use secure cookie settings
  • Regular dependency audits
  • Implement rate limiting
  • Log security events
  • Keep dependencies updated

When to Use This Skill

Use when you need to:

  • Audit security vulnerabilities
  • Implement XSS/CSRF protection
  • Set up Content Security Policy
  • Secure authentication flow
  • Handle sensitive data
  • Scan dependencies for vulnerabilities
  • Review secure coding practices

Output Format

Provide:

  1. Security Audit: Identified vulnerabilities
  2. CSP Configuration: Header setup
  3. Input Sanitization: Validation code
  4. Authentication: Secure auth implementation
  5. Dependency Report: Vulnerability scan
  6. Best Practices: Security checklist