Comprehensive security hardening for web applications covering HTTPS, input validation, authentication, and OWASP Top 10 vulnerabilities.
Works with
Enforces HTTPS, security headers (CSP, HSTS), and rate limiting via Helmet and Express middleware to prevent DDoS and common attacks
Prevents SQL Injection and XSS through parameterized queries, input validation with Joi, and output encoding with DOMPurify
Implements CSRF token protection, JWT-based authentication with refresh token rotation, and s
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionsecurity-best-practicesExecute the skills CLI command in your project's root directory to begin installation:
Fetches security-best-practices from supercent-io/skills-template and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate security-best-practices. Access via /security-best-practices in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Create detailed user stories, acceptance criteria, and feature specs
Example
Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios
Reduce spec writing time by 50%, ensure comprehensive coverage
Research competitors, compare features, identify gaps
Example
Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities
Complete competitive research in 2 hours instead of 2 days
Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs
Example
Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale
6
total installs
6
this week
88
GitHub stars
0
upvotes
Run in your terminal
6
installs
6
this week
88
stars
Express.js security middleware:
import express from 'express';
import helmet from 'helmet';
import rateLimit from 'express-rate-limit';
const app = express();
// Helmet: automatically set security headers
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "https://trusted-cdn.com"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "https://api.example.com"],
fontSrc: ["'self'", "https:", "data:"],
objectSrc: ["'none'"],
mediaSrc: ["'self'"],
frameSrc: ["'none'"],
},
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
}
}));
// Enforce HTTPS
app.use((req, res, next) => {
if (process.env.NODE_ENV === 'production' && !req.secure) {
return res.redirect(301, `https://${req.headers.host}${req.url}`);
}
next();
});
// Rate limiting (DDoS prevention)
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // max 100 requests per IP
message: 'Too many requests from this IP, please try again later.',
standardHeaders: true,
legacyHeaders: false,
});
app.use('/api/', limiter);
// Stricter for auth endpoints
const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 5, // only 5 times per 15 minutes
skipSuccessfulRequests: true // do not count successful requests
});
app.use('/api/auth/login', authLimiter);
Joi validation:
import Joi from 'joi';
const userSchema = Joi.object({
email: Joi.string().email().required(),
password: Joi.string().min(8).pattern(/^(?=.*[A-Z])(?=.*[a-z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]/).required(),
name: Joi.string().min(2).max(50).required()
});
app.post('/api/users', async (req, res) => {
// 1. Validate input
const { error, value } = userSchema.validate(req.body);
if (error) {
return res.status(400).json({ error: error.details[0].message });
}
// 2. Prevent SQL Injection: Parameterized Queries
// β Bad example
// db.query(`SELECT * FROM users WHERE email = '${email}'`);
// β
Good example
const user = await db.query('SELECT * FROM users WHERE email = ?', [value.email]);
// 3. Prevent XSS: Output Encoding
// React/Vue escape automatically; otherwise use a library
import DOMPurify from 'isomorphic-dompurify';
const sanitized = DOMPurify.sanitize(userInput);
res.json({ user: sanitized });
});
CSRF Token:
import csrf from 'csurf';
import cookieParser from 'cookie-parser';
app.use(cookieParser());
// CSRF protection
const csrfProtection = csrf({ cookie: true });
// Provide CSRF token
app.Make data-driven prioritization decisions faster
Draft PRDs, status updates, and stakeholder presentations
Example
Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement
Save 3-5 hours/week on communication overhead
Prerequisites
Time Estimate
30-60 minutes to see productivity improvements
Steps
Common Pitfalls
β Do
β Don't
π‘ Pro Tips
β Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
β Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
kadajett/agent-nestjs-skills
supercent-io/skills-template
jwynia/agent-skills
asyrafhussin/agent-skills
shadcn/improve
mattpocock/skills
Useful defaults in security-best-practices β fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
security-best-practices is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Registry listing for security-best-practices matched our evaluation β installs cleanly and behaves as described in the markdown.
Solid pick for teams standardizing on skills: security-best-practices is focused, and the summary matches what you get after install.
I recommend security-best-practices for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Keeps context tight: security-best-practices is the kind of skill you can hand to a new teammate without a long onboarding doc.
We added security-best-practices from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
I recommend security-best-practices for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Solid pick for teams standardizing on skills: security-best-practices is focused, and the summary matches what you get after install.
Keeps context tight: security-best-practices is the kind of skill you can hand to a new teammate without a long onboarding doc.
showing 1-10 of 38