> nestjs-security
Implement JWT authentication, RBAC guards, Helmet hardening, and Argon2 hashing in NestJS. Use when adding auth strategies, role-based access control, CSRF protection, or security headers. (triggers: **/*.guard.ts, **/*.strategy.ts, **/auth/**, Passport, JWT, AuthGuard, CSRF, Helmet)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/nestjs-security?format=md"NestJS Security Standards
Priority: P0 (CRITICAL)
Workflow: Secure a NestJS Application
- Add Helmet —
app.use(helmet())inmain.tsfor HSTS, CSP headers. - Configure JWT strategy — Use
passport-jwtwith RS256; validateissandaudclaims. - Bind global AuthGuard — Register as
APP_GUARD; use@Public()for open routes. - Add throttling — Enable
@nestjs/throttlerwith Redis store for rate limiting. - Hash with Argon2id — Replace bcrypt with
argon2.hash(password, { type: argon2.argon2id }). - Verify — Run
npm audit --prodand test that unauthenticated requests return 401.
Global Auth Guard Example
Argon2id Hashing Example
Authentication (JWT)
- Strategy: Use
@nestjs/passportwithpassport-jwt. - Algorithm: Enforce
RS256(preferred) orHS256. Rejectnone. - Claims: Validate
issandaud. - Tokens: Short access (15m), Long httponly refresh (7d).
- MFA: Require 2FA for admin panels.
Authorization (RBAC)
- Deny by default: Bind
AuthGuardglobally (APP_GUARD). - Bypass: Create
@Public()decorator for open routes. - Roles: Use
Reflector.getAllAndOverridefor Method/Class merge.
Cryptography
- Hashing: Use Argon2id, not Bcrypt. See implementation.
- Encryption: Use AES-256-GCM with KMS rotation. See implementation.
Hardening
- Helmet: Mandatory. Enable HSTS, CSP.
- CORS: Explicit origins only. No
*. - Throttling: Use Redis-backed
@nestjs/throttlerin production. - CSRF: Required for cookie-based auth. See implementation.
Data Protection
- Sanitization: Use
ClassSerializerInterceptor+@Exclude(). - Validation:
ValidationPipe({ whitelist: true })to prevent mass assignment. - Audit: Log mutations (Who, What, When). See implementation.
Secrets Management
- CI/CD: Run
npm audit --prodin pipelines. - Runtime: Inject via vault (AWS Secrets Manager / HashiCorp Vault), not
.env.
Anti-Patterns
- No Shadow APIs: Audit routes regularly; disable
/docsin production. - No SSRF: Allowlist domains for all outgoing HTTP requests.
- No SQLi: Use ORM; avoid raw
query()with string concatenation. - No XSS: Sanitize HTML input with
dompurify.
References
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)