Agent-Skills.md

Agent Skills: TypeScript Security

Secure coding practices for TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration. (triggers: **/*.ts, **/*.tsx, validate, sanitize, xss, injection, auth, password, secret, token)

UncategorizedID: hoangnguyen0403/agent-skills-standard/typescript-security

Repository

hoangnguyen0403/agent-skills-standard
HoangNguyen0403License: Apache-2.0
362103

Install this agent skill to your local

pnpm dlx add-skill https://github.com/HoangNguyen0403/agent-skills-standard/tree/HEAD/.agents/skills/typescript/typescript-security

Skill Files

Browse the full folder contents for typescript-security.

Download Skill

Loading file tree…

.agents/skills/typescript/typescript-security/SKILL.md

Skill Metadata

Name
typescript-security
Description
Validate input, secure auth tokens, and prevent injection attacks in TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration.

TypeScript Security

Priority: P0 (CRITICAL)

Validate Input at Boundaries

  • Use Zod, Joi, or class-validator at API boundary. Always parse and validate user-controlled input before using. Use safeParse for error handling without throwing. Return 400 with structured errors on failure.

See references/REFERENCE.md for Zod validation schemas, secure cookie setup, and JWT auth patterns.

Prevent Injection and XSS

  • Sanitization: Use DOMPurify for HTML sanitization to prevent Cross-Site Scripting (XSS).
  • SQL Injection: Use Parameterized Queries (e.g., pool.query('... WHERE id = $1', [id])) or Type-safe ORMs (Prisma/TypeORM). Use Prisma.sql for raw queries.
  • Input Filtering: Sanitize user-controlled input before using it in file paths or OS commands (Command Injection).

Secure Authentication

  • Use Argon2id for password hashing. Implement JWT (via jsonwebtoken or jose) with HttpOnly and Secure cookies. Use RS256 for public/private key pairs and implement Refresh Token rotation.
  • Secrets: Store secrets in .env (e.g., JWT_SECRET) or Secret Managers. NEVER commit them to Git.
  • CORS: Configure CORS with Strict Origin Whitelisting. Avoid origin: '*'.
  • Encryption: Use crypto (Node.js) or Web Crypto API for sensitive data. Avoid legacy algorithms like MD5/SHA1.

Verification

After typing validation schemas (Zod/joi) or auth guards, call getDiagnostics (typescript-lsp) to confirm type narrowing correct before finalizing.

Anti-Patterns

  • No dynamic execution: Avoid eval, Function constructor, or string literals as timer callbacks — all execute runtime code and bypass TypeScript's type system.
  • No shell string interpolation: Never use execSync(\cmd ${userInput}`)or interpolate environment variables / config values intoexecSync/spawnSyncstrings. Shell metacharacters cause **command injection (OWASP A03)**. UseexecFileSync('git', ['arg1', arg2])` with a static command + separate args array instead.
  • No unvalidated SSRF origins: When a URL comes from env vars or config (e.g., FEEDBACK_API_URL), validate it against an allowed-origin allowlist before calling fetch() / axios.
  • No Plaintext: Never commit secrets.
  • No Trust: Validate everything server-side.

References

See references/REFERENCE.md for Zod validation, secure cookie setup, JWT auth, security headers, and RBAC patterns.