Stats
Actions
Tags
From forwward-teams
Provides security defaults for auth and sessions, OWASP Top 10 prevention strategies, HIPAA PHI handling requirements, and SOC 2 trust principles.
How this skill is triggered — by the user, by Claude, or both
Slash command
/forwward-teams:securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Assume breach. Defense in depth. Least privilege everywhere.
Assume breach. Defense in depth. Least privilege everywhere.
Every project ships with:
| Control | Implementation |
|---|---|
| Auth | OAuth 2.0 / OIDC via Auth.js or Supabase Auth |
| Sessions | HTTP-only, Secure, SameSite=Strict cookies |
| Passwords | bcrypt/argon2, min 12 chars, no max limit |
| API auth | Bearer tokens with expiry, refresh rotation |
| CORS | Explicit allowlist, never * in production |
| HTTPS | Everywhere. No exceptions. HSTS headers. |
| CSP | Content-Security-Policy header on all pages |
| Rate limiting | Auth endpoints: 5/min. API: 100/min. Adjust per use. |
| Vulnerability | Prevention |
|---|---|
| Injection (SQL, NoSQL, OS) | Parameterized queries, ORMs, never string concat |
| Broken Auth | MFA, session timeouts, account lockout |
| Sensitive Data Exposure | Encrypt at rest + transit, minimize data collection |
| XXE | Disable external entity processing |
| Broken Access Control | Check permissions server-side on every request |
| Security Misconfiguration | Defaults off, hardened configs, no debug in prod |
| XSS | Output encoding, CSP headers, sanitize HTML |
| Insecure Deserialization | Validate and type-check all serialized data |
| Known Vulnerabilities | npm audit, pip audit, automated dependency updates |
| Insufficient Logging | Log auth events, access denied, input validation failures |
Required if handling PHI (Protected Health Information):
| Requirement | Implementation |
|---|---|
| Encryption at rest | AES-256 for databases and file storage |
| Encryption in transit | TLS 1.2+ everywhere |
| Access controls | Role-based, audit-logged, least privilege |
| Audit trail | Every PHI access logged with who, what, when |
| BAA | Business Associate Agreement with every vendor touching PHI |
| Data minimization | Collect only what's clinically necessary |
| Breach notification | 60-day notification requirement — have a plan |
| Employee training | Annual security awareness training |
PHI includes: Names, dates, phone numbers, emails, SSN, medical record numbers, device IDs, biometric data, photos, and any data that could identify a patient.
Vendor checklist:
| Trust Principle | What to Implement |
|---|---|
| Security | Access controls, encryption, firewalls, IDS |
| Availability | Uptime monitoring, incident response, backups |
| Processing Integrity | Input validation, error handling, QA |
| Confidentiality | Encryption, access logging, data classification |
| Privacy | Consent, data retention, deletion, privacy policy |
Start with: Security + Availability. Add others when customers require it.
When reviewing code for security:
npm audit / pip audit cleannpx claudepluginhub iankiku/forwward-teamsGuides application security reviews and implementation covering OWASP Top 10, input validation, auth, secrets management, and antipatterns.
Audits SaaS apps for vulnerabilities, implements authentication best practices with Supabase/Clerk/NextAuth, protects data via OWASP Top 10 checklists.
Checks code against OWASP Top 10, CWE, NIST, PCI-DSS, HIPAA, GDPR, and secure coding practices. Generates compliance reports with checklists and gap analysis.