Web Security

What it does

This skill helps AI agents implement secure web development practices, treating security as a core requirement from the outset. It emphasizes assuming hostile input and untrusted environments, guiding the agent to avoid common vulnerabilities like Cross-Site Scripting (XSS), SQL injection, and insecure authentication methods. The skill promotes best practices for data handling, dependency management, and respecting browser security boundaries.

When to use it

• When developing web applications or user interfaces where security is paramount.
• To ensure proper input validation and sanitization within a codebase.
• For implementing secure authentication and authorization workflows.
• When reviewing existing code for potential security vulnerabilities.
• To guide the selection of secure default configurations over flexible, but potentially insecure, options.

Key capabilities

• Provides guidance on preventing XSS and SQL injection attacks.
• Offers advice on secure authentication and authorization practices (e.g., using HTTP-only cookies).
• Promotes respecting browser security APIs like CORS and CSP.
• Emphasizes minimizing data exposure and avoiding insecure storage of secrets.
• Advises on managing dependencies and treating third-party code with caution.

Example prompts

• "How can I prevent SQL injection in this form submission?"
• "What's the best way to store authentication tokens securely in a web application?"
• "Review this JavaScript code for potential XSS vulnerabilities."

Tips & gotchas

• The skill focuses on preventative measures and secure coding practices, not vulnerability scanning or penetration testing.
• Always prioritize validation and sanitization of user input at all boundaries.
• Be mindful of Content Security Policy (CSP) when using dynamic content; avoid inline scripts and styles where possible.