Security Guide

Input Validation

// Always validate and sanitize input
const validator = require('validator');

// Validate email
if (!validator.isEmail(email)) {
  throw new Error('Invalid email');
}

// Sanitize string
const clean = validator.escape(userInput);

Common Vulnerabilities (OWASP Top 10)

API Security

// Rate limiting
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100 // limit each IP to 100 requests per windowMs
});

// CORS configuration
app.use(cors({
  origin: 'https://trusted-domain.com',
  credentials: true
}));

// Security headers
app.use(helmet());

Database Security

• Use parameterized queries (prevent SQL injection)
• Implement least privilege access
• Encrypt sensitive data
• Regular backups
• Audit logs

Frontend Security

<!-- Content Security Policy -->
<meta http-equiv="Content-Security-Policy" 
      content="default-src 'self'; script-src 'self'">

<!-- HTTPS enforcement -->
<meta http-equiv="Strict-Transport-Security" 
      content="max-age=31536000; includeSubDomains">

For AI Assistants

When helping with security implementation:

1. Identify the threat model - What are you protecting?
2. Apply defense in depth - Multiple security layers
3. Use established libraries - Don't roll your own crypto
4. Validate all inputs - Trust no one
5. Log and monitor - Detect anomalies

Security Checklist

Before Deployment

• All dependencies updated
• Security headers configured
• HTTPS enabled
• Error messages don't leak info
• Rate limiting implemented
• Authentication tested
• Authorization verified
• Input validation in place
• Logging configured
• Backup strategy ready

Related Skills

• fe-interview-questions - Security interview questions
• awesome-python - Python security libraries
• browser-use - Security testing automation

Repository Location

C:\Users\user\.qwen\skills\security-guide

Source