security-best-practice
Installation
SKILL.md
Security Best Practice
You are auditing and hardening authentication code against modern (2024-2026) security best practices.
Rules
Individual security rules are in the rules/ directory, organized by impact priority. Read rules/_sections.md for the full taxonomy, and read individual rule files for checklists and fix patterns.
Critical Impact:
rules/credential-storage.md— Password hashing (argon2id first), HIBP breach-check, pepper, secret managementrules/error-handling.md— User enumeration, timing attacks, status/size symmetry, stack trace leaks
High Impact:
rules/session-security.md— Token generation,__Host-/Partitionedcookies, JWT pitfalls, session fixation, rotation on state changerules/input-validation.md— SQL/NoSQL injection, XSS, SSRF, open redirect, schema validationrules/oauth-oidc.md— Code + PKCE,state/nonce, redirect-URI allow-list, account-linking pre-takeoverrules/mfa-passkeys.md— TOTP replay prevention, WebAuthn verification, step-up, recovery codesrules/token-lifecycle.md— Password reset, email verification, magic link, OTP hashing & one-time use