Stats
Actions
Tags
From f5-core
Provides code patterns for infrastructure security: headers (Helmet.js CSP/CORS/HSTS), HTTPS/TLS, data encryption (AES-256-GCM), compliance (GDPR/PCI-DSS), secrets management (AWS/Vault).
How this skill is triggered — by the user, by Claude, or both
Slash command
/f5-core:security-infraThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Infrastructure security, headers, encryption, and compliance patterns.
Infrastructure security, headers, encryption, and compliance patterns.
| Header | Purpose | Value |
|---|---|---|
| Content-Security-Policy | XSS prevention | Restrict sources |
| X-Frame-Options | Clickjacking | DENY |
| Strict-Transport-Security | Force HTTPS | max-age=31536000 |
| X-Content-Type-Options | MIME sniffing | nosniff |
| Referrer-Policy | Leak prevention | strict-origin |
import helmet from 'helmet';
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
objectSrc: ["'none'"],
frameAncestors: ["'none'"],
},
},
hsts: { maxAge: 31536000, includeSubDomains: true },
}));
import crypto from 'crypto';
function encrypt(plaintext: string, key: Buffer): EncryptedData {
const iv = crypto.randomBytes(12);
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
let ciphertext = cipher.update(plaintext, 'utf8', 'base64');
ciphertext += cipher.final('base64');
return {
ciphertext,
iv: iv.toString('base64'),
authTag: cipher.getAuthTag().toString('base64'),
};
}
function decrypt(data: EncryptedData, key: Buffer): string {
const decipher = crypto.createDecipheriv(
'aes-256-gcm',
key,
Buffer.from(data.iv, 'base64')
);
decipher.setAuthTag(Buffer.from(data.authTag, 'base64'));
let plaintext = decipher.update(data.ciphertext, 'base64', 'utf8');
plaintext += decipher.final('utf8');
return plaintext;
}
// Environment variables (basic)
const apiKey = process.env.API_KEY;
// AWS Secrets Manager
import { SecretsManager } from '@aws-sdk/client-secrets-manager';
const client = new SecretsManager({ region: 'us-east-1' });
const secret = await client.getSecretValue({ SecretId: 'my-secret' });
// HashiCorp Vault
import Vault from 'node-vault';
const vault = Vault({ endpoint: process.env.VAULT_ADDR });
const { data } = await vault.read('secret/data/myapp');
import cors from 'cors';
app.use(cors({
origin: ['https://app.example.com'],
methods: ['GET', 'POST', 'PUT', 'DELETE'],
allowedHeaders: ['Content-Type', 'Authorization'],
credentials: true,
maxAge: 86400,
}));
| Gate | Requirement |
|---|---|
| G4 | Security audit completed |
| G5 | Production hardening verified |
| G5 | Compliance checklist passed |
npx claudepluginhub fujigo-software/f5-framework-claude --plugin f5-coreProvides security defaults for auth and sessions, OWASP Top 10 prevention strategies, HIPAA PHI handling requirements, and SOC 2 trust principles.
Configures HTTPS with TLS 1.2+ enforcement, modern cipher suites, certificate management, and HSTS for web servers, API gateways, and load balancers.
Guides implementation of authentication (JWT, OAuth2, sessions), authorization (RBAC), encryption, secrets management, CORS, and rate limiting with code examples and anti-pattern checks.