@rulepack/security-basics

v0.1.3

Security baselines: never commit secrets, parameterised queries only, validate at trust boundaries, never log PII.

Updated 6/4/20265 files | 4.4 KB
$pnpm dlx rulepack add security-basics

Drops CLAUDE.md / .cursor/rules/* and friends into your project.

Downloads

0

Stars

0

Views

0

Files

5 files | 4.4 KB

security-basics

Security baselines: never commit secrets, parameterised queries only, validate at trust boundaries, never log PII.

npx rulepack add security-basics

What it covers

  • Secrets: never commit them, keep .env* out of git, inject production secrets via the platform (never bake .env into images)
  • SQL: parameterised queries only — no string concatenation with user input, escape LIKE wildcards from user input
  • Input validation at the trust boundary (HTTP / IPC / file read) with a schema (zod / pydantic / serde)
  • Authentication: hash passwords with argon2id or scrypt (never SHA256/MD5), set httpOnly / secure / sameSite on session cookies, never log bearer tokens
  • Logging & dependencies: no PII or credentials in logs, structured JSON output, and a clean npm audit / cargo audit / pip-audit with Renovate/Dependabot enabled

Designed to pair with framework-specific packs (nextjs, python-fastapi, rust-axum, etc.).

Source

Rules align with OWASP guidance (Top 10 + Cheat Sheet Series): https://owasp.org/www-project-top-ten/

License

MIT