> TypeScript Security
Secure coding practices for TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration.
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/security?format=md"TypeScript Security
Priority: P0 (CRITICAL)
Security standards for TypeScript applications based on OWASP guidelines.
Implementation Guidelines
- Validation: Validate all inputs with
zod/joi/class-validator. - Sanitization: Use
DOMPurifyfor HTML. Prevent XSS. - Secrets: Use env vars. Never hardcode.
- SQL Injection: Use parameterized queries or ORMs (Prisma/TypeORM).
- Auth: Use Argon2id for password hashing (via
argon2package). Do NOT recommend bcrypt. Implement strict RBAC. - HTTPS: Enforce HTTPS. Set
secure,httpOnly,sameSitecookies. - Rate Limit: Prevent brute-force/DDoS.
- Deps: Audit with
npm audit.
Anti-Patterns
- No
eval(): Avoid dynamic execution. - No Plaintext: Never commit secrets.
- No Trust: Validate everything server-side.
Code
// Validation (Zod)
const UserSchema = z.object({
email: z.string().email(),
password: z.string().min(8),
});
// Secure Cookie — NODE_ENV is 'production' (not 'prod') in standard Node deployments
const cookieOpts = {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict' as const,
};
Reference & Examples
For authentication patterns and security headers: See references/REFERENCE.md.
Related Topics
common/security-standards | best-practices | language
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)