gh-hopeoverture-worldbuilding-app-skills-plugins-security-hardening-checklist/skills/security-hardening-checklist/SKILL.md

name, description, allowed-tools

name	description	allowed-tools
security-hardening-checklist	This skill should be used when the user requests to audit, check, or improve application security by analyzing security headers, cookie configuration, RLS policies, input sanitization, rate limiting, and other security measures. It generates a comprehensive security audit report with actionable recommendations. Trigger terms include security audit, security check, harden security, security review, vulnerability check, security headers, secure cookies, input validation, rate limiting, security best practices.	Read, Grep, Glob, Bash

Security Hardening Checklist

To perform a comprehensive security audit and generate hardening recommendations, follow these steps systematically.

Step 1: Project Discovery

Identify the project structure and tech stack:

1. Use Glob to find key files:

   • package.json - Dependencies and scripts
   • next.config.* - Next.js configuration
   • middleware.ts - Middleware setup
   • app/**/*.{ts,tsx} - Application routes
   • .env.example - Environment variables

2. Identify authentication provider (Supabase, NextAuth, Clerk, etc.)

3. Identify database type (PostgreSQL, MySQL, MongoDB, etc.)

4. Check for security libraries (helmet, rate-limit, etc.)

Step 2: Security Headers Audit

Check for security headers configuration.

Check Next.js Config

Use Grep to search for security headers in next.config.js/ts:

- "X-Frame-Options"
- "X-Content-Type-Options"
- "X-XSS-Protection"
- "Strict-Transport-Security"
- "Content-Security-Policy"
- "Referrer-Policy"
- "Permissions-Policy"

Generate Missing Headers

Consult references/security-headers.md and create configuration:

// next.config.ts
const securityHeaders = [
  {
    key: 'X-DNS-Prefetch-Control',
    value: 'on'
  },
  {
    key: 'Strict-Transport-Security',
    value: 'max-age=63072000; includeSubDomains; preload'
  },
  {
    key: 'X-Frame-Options',
    value: 'SAMEORIGIN'
  },
  {
    key: 'X-Content-Type-Options',
    value: 'nosniff'
  },
  {
    key: 'X-XSS-Protection',
    value: '1; mode=block'
  },
  {
    key: 'Referrer-Policy',
    value: 'strict-origin-when-cross-origin'
  },
  {
    key: 'Permissions-Policy',
    value: 'camera=(), microphone=(), geolocation=()'
  }
]

const nextConfig = {
  async headers() {
    return [
      {
        source: '/:path*',
        headers: securityHeaders,
      },
    ]
  },
}

Step 3: Cookie Security Audit

Check cookie configuration for auth and session management.

Check for Insecure Cookie Settings

Use Grep to search for cookie operations:

- "setCookie"
- "cookies().set"
- "document.cookie"
- "res.cookie"

Review Cookie Security Attributes

Check for:

• httpOnly: true - Prevents JavaScript access
• secure: true - HTTPS only
• sameSite: 'strict' or 'lax' - CSRF protection
• Proper expiration times

Generate Secure Cookie Helper

// lib/cookies.ts
import { cookies } from 'next/headers'

export function setSecureCookie(
  name: string,
  value: string,
  maxAge: number = 3600
) {
  cookies().set(name, value, {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production',
    sameSite: 'strict',
    maxAge,
    path: '/',
  })
}

Step 4: RLS Policy Audit

For Supabase/PostgreSQL projects, audit Row-Level Security.

Check RLS Status

Search for migration files or schema files:

-- Check if RLS is enabled
ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;

Identify Tables Without RLS

Use Grep to find table definitions and check which lack RLS policies.

Flag Security Gaps

• Tables with user data but no RLS
• Tables with RLS but no policies
• Policies that may be too permissive
• Missing WITH CHECK clauses

Consult references/rls-checklist.md for comprehensive checks.

Step 5: Input Sanitization Audit

Check for unsafe input handling.

Search for Direct Database Queries

Use Grep to find potential SQL injection risks:

- "`.query(`"
- "`${" (template literals in queries)
- "raw("

Check Form Input Validation

Search for form handlers without validation:

- "formData.get("
- "request.json()"
- "params."

Validate Zod Usage

Check if forms use Zod or similar validation:

- "z.object"
- "safeParse"
- "parse"

Generate Validation Examples

// lib/validations/common.ts
import { z } from 'zod'

// Sanitize HTML input
export const sanitizeHtml = (input: string): string => {
  return input
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#x27;')
    .replace(/\//g, '&#x2F;')
}

// Common validation schemas
export const emailSchema = z.string().email()
export const urlSchema = z.string().url()
export const uuidSchema = z.string().uuid()
export const slugSchema = z.string().regex(/^[a-z0-9-]+$/)

Step 6: Rate Limiting Audit

Check for rate limiting on API routes and actions.

Check for Rate Limiting Libraries

Search package.json for:

• @upstash/ratelimit
• express-rate-limit
• rate-limiter-flexible

Identify Unprotected Endpoints

Use Glob to find all API routes:

app/api/**/route.ts

Search each for rate limiting code.

Generate Rate Limiting Implementation

// lib/rate-limit.ts
import { Ratelimit } from '@upstash/ratelimit'
import { Redis } from '@upstash/redis'

export const authRateLimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(5, '1 m'),
  prefix: 'ratelimit:auth',
})

export const apiRateLimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(100, '1 m'),
  prefix: 'ratelimit:api',
})

// Usage in API route
export async function POST(request: Request) {
  const ip = request.headers.get('x-forwarded-for') ?? 'unknown'
  const { success } = await authRateLimit.limit(ip)

  if (!success) {
    return new Response('Rate limit exceeded', { status: 429 })
  }

  // Handle request
}

Step 7: Environment Variables Audit

Check for exposed secrets and proper env var handling.

Check .env.example

Verify sensitive variables are not committed:

• Database URLs with credentials
• API keys
• JWT secrets

Search for Hardcoded Secrets

Use Grep to find potential hardcoded secrets:

- "password.*=.*['\"]"
- "secret.*=.*['\"]"
- "api[-_]?key.*=.*['\"]"
- "token.*=.*['\"]"

Check Client-Side Exposure

Search for env vars used in client components:

- "process.env" in files with "use client"

Only NEXT_PUBLIC_* vars should be in client code.

Step 8: HTTPS and Transport Security

Verify HTTPS is enforced.

Check for HTTP Links

Use Grep to find insecure URLs:

- "http://" (not in comments)

Check Middleware for HTTPS Redirect

Look for HTTPS enforcement in middleware.

Generate HTTPS Enforcement

// middleware.ts
export function middleware(request: NextRequest) {
  // Enforce HTTPS in production
  if (
    process.env.NODE_ENV === 'production' &&
    request.headers.get('x-forwarded-proto') !== 'https'
  ) {
    return NextResponse.redirect(
      `https://${request.headers.get('host')}${request.nextUrl.pathname}`,
      301
    )
  }

  // Other middleware logic
}

Step 9: CORS Configuration Audit

Check CORS configuration for API routes.

Search for CORS Headers

Use Grep to find CORS configuration:

- "Access-Control-Allow-Origin"
- "cors("

Verify CORS is Not Too Permissive

Flag Access-Control-Allow-Origin: * in production.

Generate Proper CORS Configuration

// lib/cors.ts
export function setCorsHeaders(
  response: NextResponse,
  allowedOrigins: string[]
) {
  const origin = request.headers.get('origin')

  if (origin && allowedOrigins.includes(origin)) {
    response.headers.set('Access-Control-Allow-Origin', origin)
    response.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE')
    response.headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization')
    response.headers.set('Access-Control-Max-Age', '86400')
  }

  return response
}

Step 10: Dependency Security Audit

Check for vulnerable dependencies.

Run npm audit

npm audit --json

Check for Outdated Packages

npm outdated

Flag Critical Vulnerabilities

Identify packages with known security issues.

Step 11: Generate Security Report

Create comprehensive security audit report using template from assets/security-report-template.md:

# Security Audit Report

**Generated**: [timestamp]
**Project**: [project name]

## Executive Summary

**Overall Security Score**: X/100

- Critical Issues: X
- High Priority: X
- Medium Priority: X
- Low Priority: X

## Critical Issues (Fix Immediately)

### 1. Missing Security Headers
**Severity**: Critical
**Impact**: Application vulnerable to XSS, clickjacking
**Fix**: Add security headers to next.config.ts

### 2. No Rate Limiting on Auth Endpoints
**Severity**: Critical
**Impact**: Vulnerable to brute force attacks
**Fix**: Implement rate limiting

[Continue for all issues...]

## Recommendations

1. Security Headers
2. Cookie Security
3. RLS Policies
4. Input Validation
5. Rate Limiting
6. HTTPS Enforcement
7. Environment Variables
8. Dependency Updates

## Implementation Checklist

- [ ] Add security headers
- [ ] Configure secure cookies
- [ ] Enable RLS on all tables
- [ ] Add input validation
- [ ] Implement rate limiting
- [ ] Enforce HTTPS
- [ ] Audit environment variables
- [ ] Update vulnerable dependencies

Step 12: Generate Fix Scripts

Create scripts to automate security improvements:

// scripts/add-security-headers.ts
// Automatically adds security headers to next.config

# scripts/enable-rls.sql
# SQL script to enable RLS on all tables

Consulting References

Throughout audit:

• Consult references/security-headers.md for header configuration
• Consult references/rls-checklist.md for database security
• Consult references/owasp-top-10.md for common vulnerabilities
• Use templates from assets/security-report-template.md

Output Format

Generate files:

reports/
  security-audit-[timestamp].md
fixes/
  security-headers.ts
  rate-limiting.ts
  input-validation.ts
scripts/
  enable-rls.sql
  fix-cookies.ts

Verification Checklist

Before completing audit:

• All routes analyzed
• Security headers reviewed
• Cookie configuration checked
• RLS policies audited
• Input validation verified
• Rate limiting assessed
• Environment variables checked
• Dependencies scanned
• HTTPS enforcement verified
• CORS configuration reviewed

Completion

When finished:

1. Display security score
2. Highlight critical issues
3. Provide prioritized recommendations
4. Offer to implement fixes
5. Generate implementation scripts