security▌

You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection points, unsafe DOM manipulation, and improper sanitization.

Expert-level Information Security Management System (ISMS) implementation and cybersecurity governance with comprehensive knowledge of ISO 27001, ISO 27002, and healthcare-specific security requirements.

Category: test \n SAS Minimal Viable Test \n Prerequisites \n \n AK/SK and region are configured. \n GoalsSkill: skills/security/host/alicloud-security-center-sas/ 。 \n \n Test Steps \n \n 获取 SAS 的 API 列表。 \n 执行一个只读查询 API。 \n 记录成功/失败及错误码。 \n \n Expected Results \n \n 请求链路可达，返回可解析 JSON。 \n

Category: test \n CloudFW Minimal Viable Test \n Prerequisites \n \n AK/SK and region are configured. \n GoalsSkill: skills/security/firewall/alicloud-security-cloudfw/ 。 \n \n Test Steps \n \n 先跑元数据 API 列表脚本。 \n 选择一个只读列表/详情 API 执行。 \n 记录请求摘要和响应摘要。 \n \n Expected Results \n \n 可拿到资源列表或明确无权限提示。 \n

Category: test \n KMS Minimal Viable Test \n Prerequisites \n \n AK/SK and region are configured. \n GoalsSkill: skills/security/key-management/alicloud-security-kms/ 。 \n \n Test Steps \n \n 通过 OpenAPI 元数据确认 KMS 常用读取 API。 \n 执行一个只读查询（如 ListKeys 或产品支持的等价读接口）。 \n 记录 request id、返回数量、错误码（若有）。 \n \n Expected Results \n \n 只读查询成功或返回明确权限错误。 \n

Comprehensive security middleware for REST APIs covering authentication, rate limiting, input validation, and attack prevention. \n \n Implements multiple security layers: helmet for HTTP headers, rate limiting, CORS configuration, input sanitization, and XSS/HPP protection \n Supports Node.js/Express and Python FastAPI with reference implementations for each framework \n Includes JWT-based authentication, input validation with sanitization, and security event logging \n Provides best practices

JWT authentication and authorization for Spring Boot 3.5.x with token generation, refresh strategies, and role/permission-based access control. \n \n Covers token generation with JJWT, Bearer/cookie authentication, and stateless session management using Spring Security 6.x \n Supports database-backed and OAuth2 provider integration (Google, GitHub) with modern SecurityFilterChain configuration \n Includes refresh token rotation, token blacklisting, and key rotation strategies for production secu

Comprehensive security toolkit for threat modeling, penetration testing, security auditing, and cryptography implementation. \n \n Three core automated scripts: Threat Modeler for scaffolding and best practices, Security Auditor for deep analysis and recommendations, and Pentest Automator for expert-level testing automation \n Includes reference documentation covering security architecture patterns, penetration testing workflows, and cryptography implementation with code examples and anti-patter

better-auth-security-best-practices

Transform threat analysis into actionable security requirements. \n \n Converts STRIDE threat categories into functional, non-functional, and constraint requirements with automatic priority calculation based on impact and likelihood \n Generates security user stories, acceptance criteria, and test cases directly from threats; includes traceability matrices linking threats to requirements \n Maps requirements to compliance frameworks (PCI-DSS, HIPAA, GDPR, SOC2, NIST, ISO 27001, OWASP) and identi