Security Audit Skill
Identify security vulnerabilities and implement fixes.
Check List
Code Security
- [ ] No hardcoded credentials/API keys
- [ ] Input validation on all user inputs
- [ ] SQL injection prevention (parameterized queries)
- [ ] XSS prevention (sanitize outputs)
- [ ] CSRF tokens where needed
- [ ] Rate limiting on APIs
- [ ] Authentication on sensitive routes
- [ ] Authorization checks (user permissions)
Database Security
- [ ] RLS enabled on ALL tables
- [ ] Service role key never exposed to client
- [ ] Policies prevent data leaks
- [ ] Encrypted connections (SSL/TLS)
Environment Security
- [ ]
.env.localin.gitignore - [ ] Secrets in environment variables only
- [ ] No secrets in logs
- [ ] HTTPS in production
Dependencies
- [ ] Run
npm audit - [ ] Update vulnerable packages
- [ ] Review package permissions
Common Vulnerabilities
SQL Injection
// BAD
const query = `SELECT * FROM users WHERE id = ${userId}`;
// GOOD
const { data } = await supabase
.from('users')
.select('*')
.eq('id', userId);
XSS
// BAD
<div dangerouslySetInnerHTML={{__html: userInput}} />
// GOOD
<div>{userInput}</div> // Auto-escaped by React
Credential Leaks
// BAD
const apiKey = "sk-1234567890abcdef";
// GOOD
const apiKey = process.env.API_KEY;
Quick Audit
"Run security audit:
1. Search for hardcoded secrets (grep for 'sk-', 'api_key', etc.)
2. Check .gitignore includes .env*
3. Verify RLS on all tables
4. Run npm audit
5. Check CORS config
Output: temp/security/audit-{timestamp}.md"
Remember: Security is not optional. Audit regularly!
微信扫一扫