Security Anti-Patterns Guard for Node.js/TypeScript/Next.js

When to Activate

Activate this skill when generating ANY code involving:

• Node.js backend code
• TypeScript applications
• Next.js (App Router or Pages Router)
• Express/Fastify APIs
• Database queries (Prisma, Drizzle, raw SQL, MongoDB)
• Authentication/authorization logic
• File uploads or user input handling
• API endpoints or Server Actions

Critical Rules (Top 10)

1. NEVER use string concatenation for SQL/NoSQL queries - use parameterized queries or ORM methods
2. NEVER use dangerouslySetInnerHTML with user input without DOMPurify sanitization
3. ALWAYS verify resource ownership (BOLA) - where: { id, userId: session.user.id }
4. ALWAYS validate ALL external input with zod/yup at API boundaries
5. NEVER hardcode secrets - use process.env (not NEXT_PUBLIC_* for secrets)
6. ALWAYS use crypto.randomBytes() or crypto.randomUUID() - never Math.random() for security
7. NEVER trust middleware alone for auth - verify in route handlers (defense in depth)
8. ALWAYS hash passwords with bcrypt/argon2 - never MD5/SHA1/unsalted
9. NEVER use exec() with user input - use execFile() with argument arrays
10. ALWAYS validate file uploads: extension, MIME type, size limits

Module Index

Reference these modules for specific vulnerability patterns:

How to Use This Skill

When generating code:

1. Identify applicable modules based on what you're writing
2. Reference the specific module for detailed BAD/GOOD patterns
3. Apply the GOOD pattern - never generate code matching BAD patterns
4. Verify the output against the Critical Rules above

Quick Reference by Task

Response Format

When this skill is active, ensure generated code:

1. Includes necessary imports (zod, bcrypt, etc.)
2. Shows the secure pattern being used
3. Includes brief comments explaining security measure if non-obvious
4. Does NOT include insecure alternatives "for reference"