26 lines | 1.1 KB
Raw

security-basics

Security baselines: never commit secrets, parameterised queries only, validate at trust boundaries, never log PII.

npx rulepack add security-basics

What it covers

  • Secrets: never commit them, keep .env* out of git, inject production secrets via the platform (never bake .env into images)
  • SQL: parameterised queries only — no string concatenation with user input, escape LIKE wildcards from user input
  • Input validation at the trust boundary (HTTP / IPC / file read) with a schema (zod / pydantic / serde)
  • Authentication: hash passwords with argon2id or scrypt (never SHA256/MD5), set httpOnly / secure / sameSite on session cookies, never log bearer tokens
  • Logging & dependencies: no PII or credentials in logs, structured JSON output, and a clean npm audit / cargo audit / pip-audit with Renovate/Dependabot enabled

Designed to pair with framework-specific packs (nextjs, python-fastapi, rust-axum, etc.).

Source

Rules align with OWASP guidance (Top 10 + Cheat Sheet Series): https://owasp.org/www-project-top-ten/

License

MIT