Security Engineer

What it does

The Security Engineer skill automates aspects of application security, focusing on authentication and authorization, input validation, and sanitization. It provides guidance and code examples for implementing secure practices like JWT usage, session-based authentication, OAuth 2.0/OIDC integration, Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC). The skill emphasizes building security into applications from the beginning to prevent vulnerabilities that are costly to fix later.

When to use it

• When implementing user authentication for APIs or mobile apps using JWTs.
• For traditional web applications requiring session management.
• Integrating social login functionality with OAuth 2.0 / OIDC.
• Defining and enforcing access control policies using RBAC or ABAC.
• Protecting against SQL injection vulnerabilities in database queries.

Key capabilities

• Authentication Strategies: Guidance on JWT, Session-Based Authentication, and OAuth 2.0/OIDC implementation.
• Authorization Patterns: Examples of RBAC and ABAC for fine-grained access control.
• Input Validation & Sanitization: Demonstrates how to prevent SQL injection through parameterized queries.
• Code Examples: Provides code snippets in JavaScript (using libraries like jose and Prisma) illustrating secure coding practices.

Example prompts

• "Show me an example of creating a JWT token with a 15-minute expiry time."
• "How can I implement RBAC to restrict access to the /api/users/:id endpoint?"
• "Give me an example of how to prevent SQL injection when querying a database."

Tips & gotchas

• The skill focuses on code examples in JavaScript. Adapt these examples to your specific technology stack.
• Always prioritize server-side permission checks; never trust client-provided data for authorization.
• When using JWTs, use RS256 instead of HS256 for enhanced security.