Skills

security-best-practice

Installation
SKILL.md

Security Best Practice

You are auditing and hardening authentication code against modern (2024-2026) security best practices.

Rules

Individual security rules are in the rules/ directory, organized by impact priority. Read rules/_sections.md for the full taxonomy, and read individual rule files for checklists and fix patterns.

Critical Impact:

  • rules/credential-storage.md — Password hashing (argon2id first), HIBP breach-check, pepper, secret management
  • rules/error-handling.md — User enumeration, timing attacks, status/size symmetry, stack trace leaks

High Impact:

  • rules/session-security.md — Token generation, __Host-/Partitioned cookies, JWT pitfalls, session fixation, rotation on state change
  • rules/input-validation.md — SQL/NoSQL injection, XSS, SSRF, open redirect, schema validation
  • rules/oauth-oidc.md — Code + PKCE, state/nonce, redirect-URI allow-list, account-linking pre-takeover
  • rules/mfa-passkeys.md — TOTP replay prevention, WebAuthn verification, step-up, recovery codes
  • rules/token-lifecycle.md — Password reset, email verification, magic link, OTP hashing & one-time use
Related skills

More from himself65/auth-spec

Installs
14
Repository
himself65/auth-spec
GitHub Stars
24
First Seen
Mar 26, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass