Security best practices for production applications including PII protection, input validation, SQL injection prevention, XSS mitigation, and secure logging. Apply when handling user data, authentication, or external inputs.
Implement security best practices to protect user data and prevent common vulnerabilities.
pii-protection.instructions.md - Hashing, redaction, complianceinput-validation.instructions.md - Prevent injection attackssecure-authentication.instructions.md - Password storage, sessionsMultiple layers of security - don't rely on single control
When errors occur, fail to secure state (deny access, don't leak info)
Grant minimum necessary permissions
Validate, sanitize, and escape ALL external data
Build security in from the start, not as afterthought
NEVER log raw user inputs that may contain PII.
Examples of PII:
Safe Logging Pattern:
import { createHash } from 'crypto';
// ❌ NEVER do this
logger.log({ query: userQuery, email: user.email });
// ✅ Hash PII, log metadata
const queryHash = createHash('sha256')
.update(userQuery)
.digest('hex')
.substring(0, 16);
logger.log({
queryHash, // Can correlate same queries
queryLength: userQuery.length, // Metadata OK
userId: user.id // Non-PII identifier OK
});
router.post('/search', async (req, res) => {
// 1. Validate input
const schema = z.object({
query: z.string().min(1).max(500),
limit: z.number().int().min(1).max(100).optional()
});
const validated = schema.parse(req.body);
// 2. Sanitize for SQL (use parameterized queries)
const results = await db.query(
'SELECT * FROM items WHERE name LIKE $1 LIMIT $2',
[`%${validated.query}%`, validated.limit || 10]
);
// 3. Log securely (hash PII)
logger.info({
event: 'search',
queryHash: hash(validated.query),
resultCount: results.length,
userId: req.user?.id
});
// 4. Return results (no sensitive internal data)
res.json({ results });
});
Related Skills: claude-framework (Security S-1 through S-5), fullstack-expertise