Secure Coding Guide for Web Applications

Comprehensive secure coding practices for web applications. Approach code from a bug hunter's perspective and make applications as secure as possible without breaking functionality.

When to Use This Skill

• Writing new web application endpoints or API routes
• Reviewing PRs that handle user input, authentication, or file uploads
• Implementing authentication, authorization, or session management
• Working with file uploads, redirects, or URL-based features
• Adding security headers or CSP policies
• Avoid using for infrastructure/network security — use defense-in-depth instead

Workflow

Step 1: Identify Attack Surface

Determine which security domains apply to the code under review: