Claude Code Plugins

Community-maintained marketplace

Feedback

security

@violetio/violet-ai-plugins
0
0

Security fundamentals and best practices

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name security
description Security fundamentals and best practices

Security Fundamentals

Core Principles

Defense in Depth

Multiple layers of security controls:

  • Network security (firewalls, VPCs)
  • Application security (input validation, output encoding)
  • Data security (encryption at rest and in transit)
  • Identity security (authentication, authorization)

Least Privilege

Grant minimum permissions necessary:

  • Service accounts with scoped permissions
  • Role-based access control (RBAC)
  • Time-limited credentials
  • Regular permission audits

Secure by Default

Systems should be secure without additional configuration:

  • Deny by default, allow by exception
  • Secure defaults in configuration
  • Fail securely (deny access on error)

Input Validation

Always Validate

// CORRECT - Validate all input
public void processOrder(OrderRequest request) {
    Objects.requireNonNull(request, "Request cannot be null");
    validateOrderId(request.getOrderId());
    validateAmount(request.getAmount());
    // Process...
}

// WRONG - Trusting input
public void processOrder(OrderRequest request) {
    repository.findById(request.getOrderId()); // SQL injection risk
}

Validation Patterns

  • Whitelist over blacklist
  • Validate type, length, format, range
  • Sanitize before storage
  • Encode before output

Authentication

Token Handling

// Headers for authentication only
@RequestHeader("X-Violet-Token") String token      // Auth verification
@RequestHeader("X-Violet-App-Id") Integer appId    // Auth context

// Path parameters for resource identification
@PathVariable("app_id") Integer targetAppId         // Database queries

Credential Storage

  • Never store plaintext passwords
  • Use encryption for API keys and tokens
  • Rotate credentials regularly
  • Audit credential access

Authorization

Check at Every Layer

// Controller level
@PreAuthorize("hasRole('ADMIN')")
public ResponseEntity<?> adminEndpoint() { }

// Service level
if (!userService.canAccessResource(userId, resourceId)) {
    throw new AccessDeniedException();
}

// Data level (row-level security)
repository.findByIdAndAppId(id, authenticatedAppId);

Data Protection

Encryption

  • At rest: AWS KMS, AES-256
  • In transit: TLS 1.3
  • Sensitive fields: Encrypted in database

PII Handling

  • Minimize collection
  • Mask in logs (email → e***@example.com)
  • Encrypt in storage
  • Define retention policies

Logging & Monitoring

Security Logging

// Log security events
logger.info("Authentication successful",
    Map.of("userId", userId, "ip", clientIp));

logger.warn("Failed login attempt",
    Map.of("username", username, "ip", clientIp, "attempts", attemptCount));

// Never log sensitive data
// WRONG: logger.info("Token: " + token);

Monitoring

  • Failed authentication attempts
  • Unusual access patterns
  • Privilege escalation attempts
  • Data exfiltration indicators

OWASP Top 10 Awareness

Risk Mitigation
Injection Parameterized queries, input validation
Broken Auth Strong session management, MFA
Sensitive Data Encryption, access controls
XXE Disable external entities
Broken Access Authorization at every layer
Security Misconfig Secure defaults, hardening
XSS Output encoding, CSP
Insecure Deserialization Validate before deserializing
Vulnerable Components Dependency scanning
Insufficient Logging Comprehensive audit logs