/security-audit

Audit a TypeScript and React frontend against an opinionated security baseline organised in four layers — authentication, authorization, and sessions, input handling and XSS prevention, transport, headers, and cookies, secrets, data protection, and third-party integrations — preceded by a diagnostic snapshot. Then offer to generate an implementation plan for the gaps.

Scope: frontend-only

This skill targets browser-shipped code and the frontend-relevant infrastructure that surrounds it. It is deliberately not a full-stack security audit. The user should know exactly what they are getting before they trust the report.

In scope

• React and TypeScript code shipped to browsers.
• Frontend-relevant security configuration wherever it lives: framework configuration (Next.js headers(), Remix loader/action headers, Vite plugins) and deployment configuration (vercel.json, netlify.toml, Cloudflare Pages _headers, Apache/Nginx config when checked into the repository).
• Frontend-side OAuth and OpenID Connect flow patterns (PKCE, state, nonce, redirect URI handling).
• Client-side data-protection patterns (localStorage hygiene, PII in URLs and analytics events, secrets in source).
• Third-party integration safety (Subresource Integrity for external scripts, iframe sandboxing, postMessage origin validation).

Out of scope