Back to Skills

security-hardening-checklist

verified

This skill should be used when the user requests to audit, check, or improve application security by analyzing security headers, cookie configuration, RLS policies, input sanitization, rate limiting, and other security measures. It generates a comprehensive security audit report with actionable recommendations. Trigger terms include security audit, security check, harden security, security review, vulnerability check, security headers, secure cookies, input validation, rate limiting, security best practices.

View on GitHub

Marketplace

worldbuilding-app-skills

hopeoverture/worldbuilding-app-skills

Plugin

security-hardening-checklist

development

Repository

hopeoverture/worldbuilding-app-skills
1stars

plugins/security-hardening-checklist/skills/security-hardening-checklist/SKILL.md

Last Verified

January 21, 2026

Install Skill

Select agents to install to:

Scope:
npx add-skill https://github.com/hopeoverture/worldbuilding-app-skills/blob/main/plugins/security-hardening-checklist/skills/security-hardening-checklist/SKILL.md -a claude-code --skill security-hardening-checklist

Installation paths:

Claude
.claude/skills/security-hardening-checklist/
Powered by add-skill CLI

Instructions

# Security Hardening Checklist

To perform a comprehensive security audit and generate hardening recommendations, follow these steps systematically.

## Step 1: Project Discovery

Identify the project structure and tech stack:

1. Use Glob to find key files:
   - `package.json` - Dependencies and scripts
   - `next.config.*` - Next.js configuration
   - `middleware.ts` - Middleware setup
   - `app/**/*.{ts,tsx}` - Application routes
   - `.env.example` - Environment variables

2. Identify authentication provider (Supabase, NextAuth, Clerk, etc.)
3. Identify database type (PostgreSQL, MySQL, MongoDB, etc.)
4. Check for security libraries (helmet, rate-limit, etc.)

## Step 2: Security Headers Audit

Check for security headers configuration.

### Check Next.js Config

Use Grep to search for security headers in `next.config.js/ts`:
```
- "X-Frame-Options"
- "X-Content-Type-Options"
- "X-XSS-Protection"
- "Strict-Transport-Security"
- "Content-Security-Policy"
- "Referrer-Policy"
- "Permissions-Policy"
```

### Generate Missing Headers

Consult `references/security-headers.md` and create configuration:

```typescript
// next.config.ts
const securityHeaders = [
  {
    key: 'X-DNS-Prefetch-Control',
    value: 'on'
  },
  {
    key: 'Strict-Transport-Security',
    value: 'max-age=63072000; includeSubDomains; preload'
  },
  {
    key: 'X-Frame-Options',
    value: 'SAMEORIGIN'
  },
  {
    key: 'X-Content-Type-Options',
    value: 'nosniff'
  },
  {
    key: 'X-XSS-Protection',
    value: '1; mode=block'
  },
  {
    key: 'Referrer-Policy',
    value: 'strict-origin-when-cross-origin'
  },
  {
    key: 'Permissions-Policy',
    value: 'camera=(), microphone=(), geolocation=()'
  }
]

const nextConfig = {
  async headers() {
    return [
      {
        source: '/:path*',
        headers: securityHeaders,
      },
    ]
  },
}
```

## Step 3: Cookie Security Audit

Check cookie configuration for auth and session management.

### Check for Insecure Cookie Settings

Use Gr

Validation Details

Front Matter
Required Fields
Valid Name Format
Valid Description
Has Sections
Allowed Tools
Instruction Length:
9927 chars