Get the FREE Ultimate OpenClaw Setup Guide →

TypeScript Security

Scanned
npx machina-cli add skill hoangnguyen0403/agent-skills-standard/security --openclaw
Files (1)
SKILL.md
1.5 KB

TypeScript Security

Priority: P0 (CRITICAL)

Security standards for TypeScript applications based on OWASP guidelines.

Implementation Guidelines

  • Validation: Validate all inputs with zod/joi/class-validator.
  • Sanitization: Use DOMPurify for HTML. Prevent XSS.
  • Secrets: Use env vars. Never hardcode.
  • SQL Injection: Use parameterized queries or ORMs (Prisma/TypeORM).
  • Auth: Use bcrypt for hashing. Implement strict RBAC.
  • HTTPS: Enforce HTTPS. Set secure, httpOnly, sameSite cookies.
  • Rate Limit: Prevent brute-force/DDoS.
  • Deps: Audit with npm audit.

Anti-Patterns

  • No eval(): Avoid dynamic execution.
  • No Plaintext: Never commit secrets.
  • No Trust: Validate everything server-side.

Code

// Validation (Zod)
const UserSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
});

// Secure Cookie
const cookieOpts = {
  httpOnly: true,
  secure: process.env.NODE_ENV === 'prod',
  sameSite: 'strict' as const,
};

Reference & Examples

For authentication patterns and security headers: See references/REFERENCE.md.

Related Topics

common/security-standards | best-practices | language

Source

git clone https://github.com/hoangnguyen0403/agent-skills-standard/blob/develop/.github/skills/typescript/security/SKILL.mdView on GitHub

Overview

TypeScript Security establishes security standards for TypeScript applications following OWASP guidelines. It covers input validation, sanitization, secret management, injection prevention, authentication, HTTPS, rate limiting, and dependency auditing to reduce common web risks.

How This Skill Works

The skill enforces secure patterns through concrete implementations: validating inputs with zod/joi/class-validator, sanitizing HTML with DOMPurify, never hardcoding secrets, using parameterized queries or ORMs, and hashing passwords with bcrypt. It also prescribes HTTPS, secure cookies, rate limiting, and dependency auditing to close common gaps.

When to Use It

  • When you’re building a TypeScript backend or API and must enforce strong security standards.
  • When validating and sanitizing user input to prevent XSS, injection, or data leaks.
  • When managing secrets and credentials, ensuring they aren’t hardcoded in code.
  • When querying databases, ensuring you use parameterized queries or ORMs to avoid SQL injection.
  • When implementing authentication and session handling, including bcrypt hashing and secure cookies.

Quick Start

  1. Step 1: Install and import recommended libs (zod/joi/class-validator, DOMPurify, bcrypt, Prisma/TypeORM).
  2. Step 2: Add input validation, HTML sanitization, and secret handling in your codebase.
  3. Step 3: Enable HTTPS, configure secure cookies, set up RBAC, and run npm audit to identify vulnerabilities.

Best Practices

  • Validate inputs with a library (zod/joi/class-validator).
  • Sanitize HTML inputs with DOMPurify to prevent XSS.
  • Store secrets in environment variables; never commit secrets.
  • Use parameterized queries or an ORM (Prisma/TypeORM) to prevent SQL injection.
  • Hash passwords with bcrypt, enforce RBAC, and secure cookies (httpOnly, secure, sameSite).

Example Use Cases

  • Validate a user signup payload using Zod before processing.
  • Sanitize user-provided HTML content with DOMPurify before rendering.
  • Load database credentials from process.env and avoid hardcoded secrets.
  • Query database with Prisma/TypeORM using parameterized queries to prevent injections.
  • Set secure cookie options and implement RBAC for route access alongside bcrypt-hashed passwords.

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers