This is the checklist you run before shipping anything that touches user data, auth, or payments. It covers the usual suspects: environment variables instead of hardcoded secrets, parameterized queries to avoid SQL injection, httpOnly cookies for tokens, input validation with Zod, and CSP headers. The fail/pass code examples are actually helpful, especially the Supabase RLS policies and rate limiting setup. It's opinionated about things like never using localStorage for tokens and starting with strict CSP instead of unsafe-inline. Honestly, this reads like the security review your team should be doing anyway but probably isn't. Good reference when you're about to merge something sensitive and want to catch the obvious mistakes.
npx -y skills add affaan-m/ecc --skill security-review --agent claude-codeInstalls into .claude/skills of the current project.
Select a file.
giuseppe-trisciuoglio/developer-kit