OWASP Security Check

Comprehensive security audit patterns for web applications and REST APIs. Contains 20 rules across 5 categories covering OWASP Top 10 and common web vulnerabilities.

When to Apply

Use this skill when:

• Auditing a codebase for security vulnerabilities
• Reviewing user-provided file or folder for security issues
• Checking authentication/authorization implementations
• Evaluating REST API security
• Assessing data protection measures
• Reviewing configuration and deployment settings
• Before production deployment
• After adding new features that handle sensitive data

How to Use This Skill

1. Identify application type - Web app, REST API, SPA, SSR, or mixed
2. Scan by priority - Start with CRITICAL rules, then HIGH, then MEDIUM
3. Review relevant rule files - Load specific rules from @rules/ directory
4. Report findings - Note severity, file location, and impact
5. Provide remediation - Give concrete code examples for fixes

Audit Workflow

Step 1: Systematic Review by Priority

Work through categories by priority:

1. CRITICAL: Authentication & Authorization, Data Protection, Input/Output Security
2. HIGH: Configuration & Headers
3. MEDIUM: API & Monitoring

Step 2: Generate Report

Format findings as:

• Severity: CRITICAL | HIGH | MEDIUM | LOW
• Category: Rule name
• File: Path and line number
• Issue: What's wrong
• Impact: Security consequence
• Fix: Code example of remediation

Rules Summary

Authentication & Authorization (CRITICAL)

broken-access-control - @rules/broken-access-control.md

Check for missing authorization, IDOR, privilege escalation.

// Bad: No authorization check
async function getUser(req: Request): Promise<Response> {
  let url = new URL(req.url);
  let userId = url.searchParams.get("id");
  let user = await db.user.findUnique({ where: { id: userId } });
  return new Response(JSON.stringify(user));
}

// Good: Verif...