When to use
- Reviewing code before shipping to production
- Auditing an existing application
- When you mention "security review" or "going to production"
- Concerned about vulnerabilities in your app
What's included
Authentication checks
Password hashing, session expiration, rate limiting, and credential handling.
Input validation
SQL injection prevention, XSS escaping, file upload safety, and redirect validation.
Secrets management
Environment variables, .gitignore patterns, and key rotation strategies.
Database security
Network isolation, minimum permissions, RLS policies, and encrypted connections.
Network and transport
HTTPS enforcement, TLS configuration, HSTS, secure cookies, and CORS.
Compliance basics
GDPR, CCPA, PCI DSS, and HIPAA quick reference for common requirements.
Pre-ship audit categories
| Category | Key items |
|---|---|
| Authentication | Password hashing, session expiration, rate limiting, no credentials in logs |
| Input validation | Parameterized queries, XSS escaping, file upload checks, URL validation |
| Secrets | No secrets in code, environment variables, separate dev/prod secrets |
| Database | Not public, dedicated user, minimum permissions, RLS enabled |
| Network | HTTPS only, TLS 1.2+, HSTS, secure cookies, specific CORS origins |
| Logging | Auth events logged, no sensitive data, retention policy, alerts |
Quick fixes for common issues
Stored passwords in plain text
Add password hashing immediately, force password reset for all users, invalidate sessions, check for database exposure.
API key in git history
Rotate the key immediately, revoke old key, use BFG Repo-Cleaner to remove from history, force push.
Database publicly accessible
Change credentials, configure firewall rules, enable SSL/TLS, review access logs.
Unknown logging content
Search for console.log/logger/print, review what's logged, implement structured logging with allowlists.
Resources
- OWASP Top 10 - Most critical web application security risks
- OWASP Cheat Sheets - Security implementation guides
- Have I Been Pwned - Check for credential breaches
- Mozilla Observatory - Test your security headers
- SSL Labs - Test your TLS configuration
Installation
# Recommended: install the security-toolkit plugin
/plugin marketplace add jamditis/claude-skills-journalism
/plugin install security-toolkit@claude-skills-journalism
# Or copy just this skill from the plugin tree
git clone https://github.com/jamditis/claude-skills-journalism.git
cp -r claude-skills-journalism/security-toolkit/skills/security-checklist ~/.claude/skills/
Or browse this skill in the GitHub repository.
Related skills
Don't ship without checking
The baseline security audit that prevents obvious disasters.
View on GitHub