From b4f4aadfa94742c1251172b952d5499852a4262b Mon Sep 17 00:00:00 2001 From: Zhongwei Li Date: Sat, 29 Nov 2025 18:46:42 +0800 Subject: [PATCH] Initial commit --- .claude-plugin/plugin.json | 12 + README.md | 3 + plugin.lock.json | 45 ++ skills/security-hardening-checklist/SKILL.md | 502 +++++++++++++++++++ 4 files changed, 562 insertions(+) create mode 100644 .claude-plugin/plugin.json create mode 100644 README.md create mode 100644 plugin.lock.json create mode 100644 skills/security-hardening-checklist/SKILL.md diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json new file mode 100644 index 0000000..6aa0000 --- /dev/null +++ b/.claude-plugin/plugin.json @@ -0,0 +1,12 @@ +{ + "name": "security-hardening-checklist", + "description": "This skill should be used when the user requests to audit, check, or improve application security by analyzing security headers, cookie configuration, RLS policies, input sanitization, rate limiting, and other security measures. It generates a comprehensive security audit report with actionable recommendations. Trigger terms include security audit, security check, harden security, security review, vulnerability check, security headers, secure cookies, input validation, rate limiting, security be", + "version": "1.0.0", + "author": { + "name": "Hope Overture", + "email": "support@worldbuilding-app-skills.dev" + }, + "skills": [ + "./skills" + ] +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..486abbc --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# security-hardening-checklist + +This skill should be used when the user requests to audit, check, or improve application security by analyzing security headers, cookie configuration, RLS policies, input sanitization, rate limiting, and other security measures. It generates a comprehensive security audit report with actionable recommendations. Trigger terms include security audit, security check, harden security, security review, vulnerability check, security headers, secure cookies, input validation, rate limiting, security be diff --git a/plugin.lock.json b/plugin.lock.json new file mode 100644 index 0000000..6b92cda --- /dev/null +++ b/plugin.lock.json @@ -0,0 +1,45 @@ +{ + "$schema": "internal://schemas/plugin.lock.v1.json", + "pluginId": "gh:hopeoverture/worldbuilding-app-skills:plugins/security-hardening-checklist", + "normalized": { + "repo": null, + "ref": "refs/tags/v20251128.0", + "commit": "1c41b6e9d1650e3cab3380042af415f23024e29e", + "treeHash": "0c17088b59c9d5c1628c68f2fd4067b8dc6db84a70d305eb1e33b9c389c8430a", + "generatedAt": "2025-11-28T10:17:30.823091Z", + "toolVersion": "publish_plugins.py@0.2.0" + }, + "origin": { + "remote": "git@github.com:zhongweili/42plugin-data.git", + "branch": "master", + "commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390", + "repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data" + }, + "manifest": { + "name": "security-hardening-checklist", + "description": "This skill should be used when the user requests to audit, check, or improve application security by analyzing security headers, cookie configuration, RLS policies, input sanitization, rate limiting, and other security measures. It generates a comprehensive security audit report with actionable recommendations. Trigger terms include security audit, security check, harden security, security review, vulnerability check, security headers, secure cookies, input validation, rate limiting, security be", + "version": "1.0.0" + }, + "content": { + "files": [ + { + "path": "README.md", + "sha256": "d425d97cbc72f693c88225598240626af422e3ae62172450fcec58cf463a9a74" + }, + { + "path": ".claude-plugin/plugin.json", + "sha256": "a23298cac2e36ca10559fb6326d10409857d04f2c2825497c44c7f6b643c8b2b" + }, + { + "path": "skills/security-hardening-checklist/SKILL.md", + "sha256": "fe918698b20ea0f43299b6bffa7b85623615a01bb7531b0d31bc01333448bfa3" + } + ], + "dirSha256": "0c17088b59c9d5c1628c68f2fd4067b8dc6db84a70d305eb1e33b9c389c8430a" + }, + "security": { + "scannedAt": null, + "scannerVersion": null, + "flags": [] + } +} \ No newline at end of file diff --git a/skills/security-hardening-checklist/SKILL.md b/skills/security-hardening-checklist/SKILL.md new file mode 100644 index 0000000..98e5945 --- /dev/null +++ b/skills/security-hardening-checklist/SKILL.md @@ -0,0 +1,502 @@ +--- +name: security-hardening-checklist +description: This skill should be used when the user requests to audit, check, or improve application security by analyzing security headers, cookie configuration, RLS policies, input sanitization, rate limiting, and other security measures. It generates a comprehensive security audit report with actionable recommendations. Trigger terms include security audit, security check, harden security, security review, vulnerability check, security headers, secure cookies, input validation, rate limiting, security best practices. +allowed-tools: Read, Grep, Glob, Bash +--- + +# Security Hardening Checklist + +To perform a comprehensive security audit and generate hardening recommendations, follow these steps systematically. + +## Step 1: Project Discovery + +Identify the project structure and tech stack: + +1. Use Glob to find key files: + - `package.json` - Dependencies and scripts + - `next.config.*` - Next.js configuration + - `middleware.ts` - Middleware setup + - `app/**/*.{ts,tsx}` - Application routes + - `.env.example` - Environment variables + +2. Identify authentication provider (Supabase, NextAuth, Clerk, etc.) +3. Identify database type (PostgreSQL, MySQL, MongoDB, etc.) +4. Check for security libraries (helmet, rate-limit, etc.) + +## Step 2: Security Headers Audit + +Check for security headers configuration. + +### Check Next.js Config + +Use Grep to search for security headers in `next.config.js/ts`: +``` +- "X-Frame-Options" +- "X-Content-Type-Options" +- "X-XSS-Protection" +- "Strict-Transport-Security" +- "Content-Security-Policy" +- "Referrer-Policy" +- "Permissions-Policy" +``` + +### Generate Missing Headers + +Consult `references/security-headers.md` and create configuration: + +```typescript +// next.config.ts +const securityHeaders = [ + { + key: 'X-DNS-Prefetch-Control', + value: 'on' + }, + { + key: 'Strict-Transport-Security', + value: 'max-age=63072000; includeSubDomains; preload' + }, + { + key: 'X-Frame-Options', + value: 'SAMEORIGIN' + }, + { + key: 'X-Content-Type-Options', + value: 'nosniff' + }, + { + key: 'X-XSS-Protection', + value: '1; mode=block' + }, + { + key: 'Referrer-Policy', + value: 'strict-origin-when-cross-origin' + }, + { + key: 'Permissions-Policy', + value: 'camera=(), microphone=(), geolocation=()' + } +] + +const nextConfig = { + async headers() { + return [ + { + source: '/:path*', + headers: securityHeaders, + }, + ] + }, +} +``` + +## Step 3: Cookie Security Audit + +Check cookie configuration for auth and session management. + +### Check for Insecure Cookie Settings + +Use Grep to search for cookie operations: +``` +- "setCookie" +- "cookies().set" +- "document.cookie" +- "res.cookie" +``` + +### Review Cookie Security Attributes + +Check for: +- `httpOnly: true` - Prevents JavaScript access +- `secure: true` - HTTPS only +- `sameSite: 'strict'` or `'lax'` - CSRF protection +- Proper expiration times + +### Generate Secure Cookie Helper + +```typescript +// lib/cookies.ts +import { cookies } from 'next/headers' + +export function setSecureCookie( + name: string, + value: string, + maxAge: number = 3600 +) { + cookies().set(name, value, { + httpOnly: true, + secure: process.env.NODE_ENV === 'production', + sameSite: 'strict', + maxAge, + path: '/', + }) +} +``` + +## Step 4: RLS Policy Audit + +For Supabase/PostgreSQL projects, audit Row-Level Security. + +### Check RLS Status + +Search for migration files or schema files: +```sql +-- Check if RLS is enabled +ALTER TABLE table_name ENABLE ROW LEVEL SECURITY; +``` + +### Identify Tables Without RLS + +Use Grep to find table definitions and check which lack RLS policies. + +### Flag Security Gaps + +- Tables with user data but no RLS +- Tables with RLS but no policies +- Policies that may be too permissive +- Missing WITH CHECK clauses + +Consult `references/rls-checklist.md` for comprehensive checks. + +## Step 5: Input Sanitization Audit + +Check for unsafe input handling. + +### Search for Direct Database Queries + +Use Grep to find potential SQL injection risks: +``` +- "`.query(`" +- "`${" (template literals in queries) +- "raw(" +``` + +### Check Form Input Validation + +Search for form handlers without validation: +``` +- "formData.get(" +- "request.json()" +- "params." +``` + +### Validate Zod Usage + +Check if forms use Zod or similar validation: +``` +- "z.object" +- "safeParse" +- "parse" +``` + +### Generate Validation Examples + +```typescript +// lib/validations/common.ts +import { z } from 'zod' + +// Sanitize HTML input +export const sanitizeHtml = (input: string): string => { + return input + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, ''') + .replace(/\//g, '/') +} + +// Common validation schemas +export const emailSchema = z.string().email() +export const urlSchema = z.string().url() +export const uuidSchema = z.string().uuid() +export const slugSchema = z.string().regex(/^[a-z0-9-]+$/) +``` + +## Step 6: Rate Limiting Audit + +Check for rate limiting on API routes and actions. + +### Check for Rate Limiting Libraries + +Search package.json for: +- `@upstash/ratelimit` +- `express-rate-limit` +- `rate-limiter-flexible` + +### Identify Unprotected Endpoints + +Use Glob to find all API routes: +``` +app/api/**/route.ts +``` + +Search each for rate limiting code. + +### Generate Rate Limiting Implementation + +```typescript +// lib/rate-limit.ts +import { Ratelimit } from '@upstash/ratelimit' +import { Redis } from '@upstash/redis' + +export const authRateLimit = new Ratelimit({ + redis: Redis.fromEnv(), + limiter: Ratelimit.slidingWindow(5, '1 m'), + prefix: 'ratelimit:auth', +}) + +export const apiRateLimit = new Ratelimit({ + redis: Redis.fromEnv(), + limiter: Ratelimit.slidingWindow(100, '1 m'), + prefix: 'ratelimit:api', +}) + +// Usage in API route +export async function POST(request: Request) { + const ip = request.headers.get('x-forwarded-for') ?? 'unknown' + const { success } = await authRateLimit.limit(ip) + + if (!success) { + return new Response('Rate limit exceeded', { status: 429 }) + } + + // Handle request +} +``` + +## Step 7: Environment Variables Audit + +Check for exposed secrets and proper env var handling. + +### Check .env.example + +Verify sensitive variables are not committed: +- Database URLs with credentials +- API keys +- JWT secrets + +### Search for Hardcoded Secrets + +Use Grep to find potential hardcoded secrets: +``` +- "password.*=.*['\"]" +- "secret.*=.*['\"]" +- "api[-_]?key.*=.*['\"]" +- "token.*=.*['\"]" +``` + +### Check Client-Side Exposure + +Search for env vars used in client components: +``` +- "process.env" in files with "use client" +``` + +Only `NEXT_PUBLIC_*` vars should be in client code. + +## Step 8: HTTPS and Transport Security + +Verify HTTPS is enforced. + +### Check for HTTP Links + +Use Grep to find insecure URLs: +``` +- "http://" (not in comments) +``` + +### Check Middleware for HTTPS Redirect + +Look for HTTPS enforcement in middleware. + +### Generate HTTPS Enforcement + +```typescript +// middleware.ts +export function middleware(request: NextRequest) { + // Enforce HTTPS in production + if ( + process.env.NODE_ENV === 'production' && + request.headers.get('x-forwarded-proto') !== 'https' + ) { + return NextResponse.redirect( + `https://${request.headers.get('host')}${request.nextUrl.pathname}`, + 301 + ) + } + + // Other middleware logic +} +``` + +## Step 9: CORS Configuration Audit + +Check CORS configuration for API routes. + +### Search for CORS Headers + +Use Grep to find CORS configuration: +``` +- "Access-Control-Allow-Origin" +- "cors(" +``` + +### Verify CORS is Not Too Permissive + +Flag `Access-Control-Allow-Origin: *` in production. + +### Generate Proper CORS Configuration + +```typescript +// lib/cors.ts +export function setCorsHeaders( + response: NextResponse, + allowedOrigins: string[] +) { + const origin = request.headers.get('origin') + + if (origin && allowedOrigins.includes(origin)) { + response.headers.set('Access-Control-Allow-Origin', origin) + response.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE') + response.headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization') + response.headers.set('Access-Control-Max-Age', '86400') + } + + return response +} +``` + +## Step 10: Dependency Security Audit + +Check for vulnerable dependencies. + +### Run npm audit + +```bash +npm audit --json +``` + +### Check for Outdated Packages + +```bash +npm outdated +``` + +### Flag Critical Vulnerabilities + +Identify packages with known security issues. + +## Step 11: Generate Security Report + +Create comprehensive security audit report using template from `assets/security-report-template.md`: + +```markdown +# Security Audit Report + +**Generated**: [timestamp] +**Project**: [project name] + +## Executive Summary + +**Overall Security Score**: X/100 + +- Critical Issues: X +- High Priority: X +- Medium Priority: X +- Low Priority: X + +## Critical Issues (Fix Immediately) + +### 1. Missing Security Headers +**Severity**: Critical +**Impact**: Application vulnerable to XSS, clickjacking +**Fix**: Add security headers to next.config.ts + +### 2. No Rate Limiting on Auth Endpoints +**Severity**: Critical +**Impact**: Vulnerable to brute force attacks +**Fix**: Implement rate limiting + +[Continue for all issues...] + +## Recommendations + +1. Security Headers +2. Cookie Security +3. RLS Policies +4. Input Validation +5. Rate Limiting +6. HTTPS Enforcement +7. Environment Variables +8. Dependency Updates + +## Implementation Checklist + +- [ ] Add security headers +- [ ] Configure secure cookies +- [ ] Enable RLS on all tables +- [ ] Add input validation +- [ ] Implement rate limiting +- [ ] Enforce HTTPS +- [ ] Audit environment variables +- [ ] Update vulnerable dependencies +``` + +## Step 12: Generate Fix Scripts + +Create scripts to automate security improvements: + +```typescript +// scripts/add-security-headers.ts +// Automatically adds security headers to next.config +``` + +```bash +# scripts/enable-rls.sql +# SQL script to enable RLS on all tables +``` + +## Consulting References + +Throughout audit: +- Consult `references/security-headers.md` for header configuration +- Consult `references/rls-checklist.md` for database security +- Consult `references/owasp-top-10.md` for common vulnerabilities +- Use templates from `assets/security-report-template.md` + +## Output Format + +Generate files: +``` +reports/ + security-audit-[timestamp].md +fixes/ + security-headers.ts + rate-limiting.ts + input-validation.ts +scripts/ + enable-rls.sql + fix-cookies.ts +``` + +## Verification Checklist + +Before completing audit: +- [ ] All routes analyzed +- [ ] Security headers reviewed +- [ ] Cookie configuration checked +- [ ] RLS policies audited +- [ ] Input validation verified +- [ ] Rate limiting assessed +- [ ] Environment variables checked +- [ ] Dependencies scanned +- [ ] HTTPS enforcement verified +- [ ] CORS configuration reviewed + +## Completion + +When finished: +1. Display security score +2. Highlight critical issues +3. Provide prioritized recommendations +4. Offer to implement fixes +5. Generate implementation scripts