All skills
Skillintermediate

Security Checklist

| Category | Check | Action | |----------|-------|--------| | **Auth** | Endpoint requires authentication? | Add auth middleware/guard | | **Authz** | User authorized for this action? | Check ownership/role | | **Input** | All input validated and sanitized? | Use schemas, sanitize | | **Output** | Sensitive data excluded from response? | Filter response fields | | **Rate Limit** | Endpoint rate li

Claude Code Knowledge Pack7/10/2026

Overview

Security Checklist

Per-Feature Security Checklist

CategoryCheckAction
AuthEndpoint requires authentication?Add auth middleware/guard
AuthzUser authorized for this action?Check ownership/role
InputAll input validated and sanitized?Use schemas, sanitize
OutputSensitive data excluded from response?Filter response fields
Rate LimitEndpoint rate limited?Add rate limiter
LoggingSecurity events logged?Log auth failures, changes

Authentication Patterns

// NestJS Guard
@UseGuards(JwtAuthGuard)
@Get('profile')
async getProfile(@CurrentUser() user: User) {
  return this.userService.findById(user.id);
}

// Express Middleware
app.get('/profile', authenticate, (req, res) => {
  res.json(req.user);
});
# FastAPI Dependency
@router.get("/profile")
async def get_profile(current_user: User = Depends(get_current_user)):
    return current_user

Authorization Patterns

// Resource ownership check
async updatePost(postId: string, userId: string, data: UpdatePostDto) {
  const post = await this.postRepo.findById(postId);

  if (post.authorId !== userId) {
    throw new ForbiddenException('Not authorized to edit this post');
  }

  return this.postRepo.update(postId, data);
}

// Role-based check
@Roles('admin')
@UseGuards(RolesGuard)
@Delete(':id')
async deleteUser(@Param('id') id: string) {
  return this.userService.delete(id);
}

Input Validation

// Zod schema
const CreateUserSchema = z.object({
  email: z.string().email(),
  name: z.string().min(1).max(100),
  password: z.string().min(12),
});

// Use in endpoint
const validated = CreateUserSchema.parse(req.body);
# Pydantic model
class CreateUser(BaseModel):
    email: EmailStr
    name: str = Field(min_length=1, max_length=100)
    password: str = Field(min_length=12)

Rate Limiting

// Express rate-limit

const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // 5 attempts
  message: 'Too many login attempts',
});

app.post('/login', authLimiter, loginHandler);

Quick Reference

RiskMitigation
SQL InjectionParameterized queries
XSSOutput encoding, CSP
CSRFCSRF tokens, SameSite cookies
IDORAuthorization checks
Brute ForceRate limiting
Data ExposureResponse filtering