返回 Skill 列表
extension
分类: 开发与工程无需 API Key

security

保护您的SaaS应用程序免受常见漏洞的影响。在构建认证、处理用户数据或部署功能时使用。涵盖身份验证、数据保护、API安全以及为使用AI工具的非技术创始人提供的OWASP Top 10。

person作者: jakexiaohubgithub

Security

Security Checklist

Security Basics:
- [ ] Authentication required for protected routes
- [ ] Passwords hashed (bcrypt/argon2), never stored plain text
- [ ] API keys in environment variables, not code
- [ ] HTTPS only in production
- [ ] Input validated on server side
- [ ] SQL injection prevented (use parameterized queries)
- [ ] XSS prevented (sanitize user input)
- [ ] CSRF tokens on forms
- [ ] Rate limiting on API endpoints
- [ ] User sessions expire (30min-1hr typical)

See COMMON-VULNS.md for detailed checks.


Critical: Never Store These in Code

Move to environment variables:

  • Database passwords
  • API keys (Stripe, SendGrid, etc)
  • JWT secrets
  • OAuth client secrets
  • Encryption keys

Tell AI:

Store API keys in .env file, not in code.
Add .env to .gitignore.
Access via process.env.API_KEY

Authentication Basics

Minimum requirements:

  • Passwords: 8+ chars, require number/symbol
  • Hash passwords (bcrypt with 10+ rounds)
  • Email verification for signups
  • Password reset via email only
  • Sessions expire (30-60 min idle)
  • Logout clears session completely

Tell AI:

Add authentication:
- bcrypt for password hashing (12 rounds)
- Email verification required
- Session timeout: 30 minutes
- Password requirements: 8+ chars, 1 number, 1 symbol

See SECURITY-PROMPTS.md for implementation details.


Data Protection

Always encrypt:

  • Passwords (hashed, not encrypted)
  • Payment info (use Stripe, don't store cards)
  • Personal identifiable information (PII)

Never log:

  • Passwords (even hashed)
  • Credit card numbers
  • API keys
  • Session tokens

Tell AI:

Never log sensitive data.
Replace passwords/tokens with "[REDACTED]" in logs.

API Security

Required for all API endpoints:

  • Authentication check
  • Rate limiting (prevent abuse)
  • Input validation
  • Error messages don't leak info

Tell AI:

Add to all API routes:
- Require valid auth token
- Rate limit: 100 requests/minute per IP
- Validate all inputs (reject invalid)
- Generic error messages (no stack traces to users)

Common Vulnerabilities

Most common in AI-built apps:

  1. Exposed API keys - In code instead of .env
  2. No rate limiting - APIs can be spammed
  3. Missing auth checks - Routes accessible without login
  4. SQL injection - Raw SQL with user input
  5. XSS attacks - Unescaped user content displayed

See COMMON-VULNS.md for how to check.


Security Prompts for AI

Adding authentication:

Add authentication to this route.
Require valid JWT token.
Return 401 if missing/invalid.
Don't expose error details.

Rate limiting:

Add rate limiting:
- 100 requests/minute per IP
- Return 429 "Too many requests" if exceeded
- Use sliding window, not fixed

Input validation:

Validate all user inputs:
- Email: valid format
- Password: 8+ chars, 1 number, 1 symbol
- Username: alphanumeric only, 3-20 chars
Reject invalid input with clear error message

See SECURITY-PROMPTS.md for more.


Pre-Launch Security Review

Before deploying:

Production Security:
- [ ] All secrets in environment variables
- [ ] HTTPS enforced (no HTTP)
- [ ] Database backups configured
- [ ] Rate limiting on all APIs
- [ ] Error pages don't show stack traces
- [ ] Admin routes protected
- [ ] File uploads validated (type, size)
- [ ] CORS configured (not wildcard "*")

When to Get Security Audit

Signs you need expert review:

  • Handling payments directly (not Stripe)
  • Storing health/financial data
  • Multi-tenant with data isolation
  • Over 1,000 users
  • Processing sensitive PII

For most MVPs: Following this checklist is sufficient.


Common Founder Mistakes

| Mistake | Fix | |---------|-----| | API keys in code | Move to .env | | No rate limiting | Add to all endpoints | | Plain text passwords | Use bcrypt | | HTTP in production | Force HTTPS | | Accepting all CORS | Whitelist domains | | No input validation | Validate server-side | | Detailed error messages | Generic messages only |


Quick Wins

Easy security improvements:

  1. Add Helmet.js (Node) - Sets security headers
  2. Use HTTPS everywhere - Force in production
  3. Add rate limiting - Prevents abuse
  4. Environment variables - Keep secrets safe
  5. Update dependencies - Fix known vulnerabilities

Tell AI:

Add helmet.js for security headers.
Configure for production (HTTPS, CSP, XSS protection).

Testing Security

Quick checks:

Exposed secrets:

grep -r "api_key" src/
grep -r "password" src/
# Should only find references to env vars

No auth bypass:

  • Try accessing protected routes without login
  • Should redirect to login or return 401

Rate limiting works:

  • Hit API endpoint 100 times quickly
  • Should get 429 error

Success Looks Like

✅ No secrets in code (all in .env)
✅ Can't access protected routes without auth
✅ Passwords hashed, never stored plain text
✅ Rate limiting prevents abuse
✅ HTTPS enforced in production
✅ Input validated on server side