security-defensive-programming

Write code that anticipates misuse, invalid input, and unexpected conditions — failing safely rather than silently corrupting state or exposing vulnerabilities.

When to use

Use this skill when:

• Writing or modifying any function that accepts external input (HTTP requests, CLI arguments, file contents, environment variables, database results, message queues)
• Creating APIs, controllers, services, or data processing logic
• Handling authentication, authorization, or session management
• Working with file systems, databases, or network calls
• Constructing queries, commands, or output that includes dynamic values
• The user asks to implement any feature that processes data from an untrusted or semi-trusted source

Core concepts

Defensive programming assumes that all input is hostile until proven otherwise and that any operation can fail. The goal is not to over-engineer but to prevent entire vulnerability classes by applying consistent, minimal safeguards at the right boundaries.