react-security
Installation
SKILL.md
React Security
Priority: P0 (CRITICAL)
Prevent XSS Attacks
- Never use
dangerouslySetInnerHTMLwithout sanitization. UseDOMPurify.sanitize(input)for all user-provided HTML. - Avoid
javascript:protocols inhreforsrc.
See implementation examples for DOMPurify sanitization and secure cookie configuration.
Secure Authentication
- Store JWT/Sessions in
HttpOnlyandSecurecookies to prevent theft via XSS. Never store secrets inlocalStorageor in built JS bundle. - Data Flow: Escape all serialized state if injecting into HTML (e.g., in SSR). Use Content Security Policy (CSP) to restrict script sources and prevent inline execution.