Web Security

Cross-cutting browser-facing security guidance for production web applications. This skill deepens topics that span API design, frontend, and backend — CSRF, XSS, CSP, cookies, sessions, auth, JWT, OAuth 2.1, CORS, headers, SSRF, input validation, and supply chain security.

Based on OWASP cheat sheets (2024), Google BeyondCorp, Stripe security patterns, Cloudflare production configs, Mozilla Web Security Guidelines, Auth0/Okta best practices, the OAuth 2.1 draft (as of January 2025), and the OAuth 2.0 Security BCP (RFC 9700, January 2025).

Scope boundary: This skill covers what to enforce and why. For implementation:

• Rust/Axum middleware and Tower layers → Rust skill (/rust §9, §12)
• React patterns, dangerouslySetInnerHTML, href validation → TypeScript skill (/typescript §11)
• API contract decisions (error format, status codes, auth headers) → API Design skill (/api-design §10-11)

1. Threat Model

Browser vs API attack surfaces