Stats
Actions
Tags
Conducts security reviews for authentication, user inputs, secrets, API endpoints, payments, and sensitive data. Supplies checklists, Zod schemas, parameterized queries, and JWT best practices.
How this skill is triggered — by the user, by Claude, or both
Slash command
/everything-claude-code:security-reviewThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
此技能确保所有代码遵循安全最佳实践,并识别潜在的漏洞。
此技能确保所有代码遵循安全最佳实践,并识别潜在的漏洞。
const apiKey = "sk-proj-xxxxx" // 硬编码凭据
const dbPassword = "password123" // 在源代码中
const apiKey = process.env.OPENAI_API_KEY
const dbUrl = process.env.DATABASE_URL
// 验证凭据是否存在
if (!apiKey) {
throw new Error('OPENAI_API_KEY not configured')
}
.env.local 已包含在 .gitignore 中import { z } from 'zod'
// 定义校验模式 (Schema)
const CreateUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
age: z.number().int().min(0).max(150)
})
// 在处理前校验
export async function createUser(input: unknown) {
try {
const validated = CreateUserSchema.parse(input)
return await db.users.create(validated)
} catch (error) {
if (error instanceof z.ZodError) {
return { success: false, errors: error.errors }
}
throw error
}
}
function validateFileUpload(file: File) {
// 大小检查 (最大 5MB)
const maxSize = 5 * 1024 * 1024
if (file.size > maxSize) {
throw new Error('File too large (max 5MB)')
}
// 类型检查
const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']
if (!allowedTypes.includes(file.type)) {
throw new Error('Invalid file type')
}
// 后缀检查
const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']
const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0]
if (!extension || !allowedExtensions.includes(extension)) {
throw new Error('Invalid file extension')
}
return true
}
// 危险 - 存在 SQL 注入漏洞
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
await db.query(query)
// 安全 - 参数化查询
const { data } = await supabase
.from('users')
.select('*')
.eq('email', userEmail)
// 或者使用原生 SQL
await db.query(
'SELECT * FROM users WHERE email = $1',
[userEmail]
)
// ❌ 错误:使用 localStorage (易受 XSS 攻击)
localStorage.setItem('token', token)
// ✅ 正确:使用 httpOnly cookies
res.setHeader('Set-Cookie',
`token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
export async function deleteUser(userId: string, requesterId: string) {
// 始终先验证授权
const requester = await db.users.findUnique({
where: { id: requesterId }
})
if (requester.role !== 'admin') {
return NextResponse.json(
{ error: 'Unauthorized' },
{ status: 403 }
)
}
// 执行删除
await db.users.delete({ where: { id: userId } })
}
-- 在所有表上启用 RLS
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
-- 用户只能查看自己的数据
CREATE POLICY "Users view own data"
ON users FOR SELECT
USING (auth.uid() = id);
-- 用户只能更新自己的数据
CREATE POLICY "Users update own data"
ON users FOR UPDATE
USING (auth.uid() = id);
import DOMPurify from 'isomorphic-dompurify'
// 始终清理用户提供的 HTML
function renderUserContent(html: string) {
const clean = DOMPurify.sanitize(html, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
ALLOWED_ATTR: []
})
return <div dangerouslySetInnerHTML={{ __html: clean }} />
}
// next.config.js
const securityHeaders = [
{
key: 'Content-Security-Policy',
value: `
default-src 'self';
script-src 'self' 'unsafe-eval' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self';
connect-src 'self' https://api.example.com;
`.replace(/\s{2,}/g, ' ').trim()
}
]
import { csrf } from '@/lib/csrf'
export async function POST(request: Request) {
const token = request.headers.get('X-CSRF-Token')
if (!csrf.verify(token)) {
return NextResponse.json(
{ error: 'Invalid CSRF token' },
{ status: 403 }
)
}
// 处理请求
}
res.setHeader('Set-Cookie',
`session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)
import rateLimit from 'express-rate-limit'
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 分钟
max: 100, // 每个窗口 100 次请求
message: 'Too many requests'
})
// 应用到路由
app.use('/api/', limiter)
// 对搜索操作执行更严格的速率限制
const searchLimiter = rateLimit({
windowMs: 60 * 1000, // 1 分钟
max: 10, // 每分钟 10 次请求
message: 'Too many search requests'
})
app.use('/api/search', searchLimiter)
// ❌ 错误:记录敏感数据
console.log('User login:', { email, password })
console.log('Payment:', { cardNumber, cvv })
// ✅ 正确:脱敏敏感数据
console.log('User login:', { email, userId })
console.log('Payment:', { last4: card.last4, userId })
// ❌ 错误:暴露内部细节
catch (error) {
return NextResponse.json(
{ error: error.message, stack: error.stack },
{ status: 500 }
)
}
// ✅ 正确:通用的错误消息
catch (error) {
console.error('Internal error:', error)
return NextResponse.json(
{ error: 'An error occurred. Please try again.' },
{ status: 500 }
)
}
import { verify } from '@solana/web3.js'
async function verifyWalletOwnership(
publicKey: string,
signature: string,
message: string
) {
try {
const isValid = verify(
Buffer.from(message),
Buffer.from(signature, 'base64'),
Buffer.from(publicKey, 'base64')
)
return isValid
} catch (error) {
return false
}
}
async function verifyTransaction(transaction: Transaction) {
// 验证收款人
if (transaction.to !== expectedRecipient) {
throw new Error('Invalid recipient')
}
// 验证金额
if (transaction.amount > maxAmount) {
throw new Error('Amount exceeds limit')
}
// 验证用户余额是否充足
const balance = await getBalance(transaction.from)
if (balance < transaction.amount) {
throw new Error('Insufficient balance')
}
return true
}
# 检查漏洞
npm audit
# 自动修复可修复的问题
npm audit fix
# 更新依赖
npm update
# 检查过期的包
npm outdated
# 始终提交 lock 文件
git add package-lock.json
# 在 CI/CD 中使用以确保可重现的构建
npm ci # 而非 npm install
// 测试身份认证
test('requires authentication', async () => {
const response = await fetch('/api/protected')
expect(response.status).toBe(401)
})
// 测试授权
test('requires admin role', async () => {
const response = await fetch('/api/admin', {
headers: { Authorization: `Bearer ${userToken}` }
})
expect(response.status).toBe(403)
})
// 测试输入校验
test('rejects invalid input', async () => {
const response = await fetch('/api/users', {
method: 'POST',
body: JSON.stringify({ email: 'not-an-email' })
})
expect(response.status).toBe(400)
})
// 测试速率限制
test('enforces rate limits', async () => {
const requests = Array(101).fill(null).map(() =>
fetch('/api/endpoint')
)
const responses = await Promise.all(requests)
const tooManyRequests = responses.filter(r => r.status === 429)
expect(tooManyRequests.length).toBeGreaterThan(0)
})
在任何生产环境部署之前:
请记住:安全并非可选项。一个漏洞就可能危害整个平台。如有疑虑,请宁可信其有,从严处理。
npx claudepluginhub codelably/harmony-claude-codeProvides security checklists for secrets management, input validation with Zod, SQL injection prevention via parameterized queries, and auth patterns like httpOnly cookies. Use for auth, user input, APIs, payments.
Ensures code follows security best practices and identifies vulnerabilities. Activates when implementing authentication, handling user input, creating API endpoints, or working with secrets.
Provides a security checklist covering secrets management, input validation, and SQL injection prevention. Includes code patterns and verification steps for common vulnerabilities.