$ loading_
用于认证、输入处理、密钥与敏感功能开发时的安全审查与检查清单。
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "security-review" 技能: 1. 下载 https://raw.githubusercontent.com/affaan-m/ECC/main/docs/ko-KR/skills/security-review/SKILL.md 2. 保存为 ~/.claude/skills/security-review/SKILL.md 3. 装好后重载技能,告诉我可以用了
请对这个登录与注册方案做安全审查,重点检查密码存储、会话管理、暴力破解防护、邮箱验证、重置密码流程,并给出修复建议与实现模式。
一份按风险等级整理的认证安全检查清单、问题说明及修复建议。
我正在实现一个创建订单的 API,请从输入校验、权限控制、注入风险、错误处理、日志脱敏和速率限制等方面做全面安全审查。
涵盖接口安全风险、推荐防护模式与可执行检查项的审查结果。
请对支付功能上线前做安全审查,关注密钥管理、幂等性、回调验签、金额篡改、防重放、审计日志和异常告警,并输出发布前检查清单。
一份适合发布前执行的支付安全检查清单与关键实现建议。
이 스킬은 모든 코드가 보안 모범 사례를 따르고 잠재적 취약점을 식별하도록 보장합니다.
const apiKey = "sk-proj-xxxxx" // Hardcoded secret
const dbPassword = "password123" // In source code
const apiKey = process.env.OPENAI_API_KEY
const dbUrl = process.env.DATABASE_URL
// Verify secrets exist
if (!apiKey) {
throw new Error('OPENAI_API_KEY not configured')
}
.env.local이 .gitignore에 포함됨import { z } from 'zod'
// Define validation schema
const CreateUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
age: z.number().int().min(0).max(150)
})
// Validate before processing
export async function createUser(input: unknown) {
try {
const validated = CreateUserSchema.parse(input)
return await db.users.create(validated)
} catch (error) {
if (error instanceof z.ZodError) {
return { success: false, errors: error.errors }
}
throw error
}
}
function validateFileUpload(file: File) {
// Size check (5MB max)
const maxSize = 5 * 1024 * 1024
if (file.size > maxSize) {
throw new Error('File too large (max 5MB)')
}
// Type check
const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']
if (!allowedTypes.includes(file.type)) {
throw new Error('Invalid file type')
}
// Extension check
const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']
const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0]
if (!extension || !allowedExtensions.includes(extension)) {
throw new Error('Invalid file extension')
}
return true
}
// DANGEROUS - SQL Injection vulnerability
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
await db.query(query)
// Safe - parameterized query
const { data } = await supabase
.from('users')
.select('*')
.eq('email', userEmail)
// Or with raw SQL
await db.query(
'SELECT * FROM users WHERE email = $1',
[userEmail]
)
// FAIL: WRONG: localStorage (vulnerable to XSS)
localStorage.setItem('token', token)
// PASS: CORRECT: httpOnly cookies
res.setHeader('Set-Cookie',
`token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
export async function deleteUser(userId: string, requesterId: string) {
// ALWAYS verify authorization first
const requester = await db.users.findUnique({
where: { id: requesterId }
})
if (requester.role !== 'admin') {
return NextResponse.json(
{ error: 'Unauthorized' },
{ status: 403 }
)
}
// Proceed with deletion
await db.users.delete({ where: { id: userId } })
}
-- Enable RLS on all tables
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
-- Users can only view their own data
CREATE POLICY "Users view own data"
ON users FOR SELECT
USING (auth.uid() = id);
-- Users can only update their own data
CREATE POLICY "Users update own data"
ON users FOR UPDATE
USING (auth.uid() = id);
…
通过双评审智能体对结果进行对抗式校验,提升输出发布前的可靠性
帮助开发者在认证、输入处理、密钥和敏感功能开发中进行系统安全审查