Instructions

Neexo Security and OWASP Instructions

Security review guidance covering OWASP Top 10 risks, auth boundaries, secrets handling, tenant isolation, and production-safe configuration.

AuthorNeexoCore
Sourcegithub.com/NeexoCore/awesome-neexo
Apply to**/*.{ts,tsx,js,jsx,json,yml,yaml,env,md}
Updated
securityowaspprivacy

Overview

Use these instructions when editing code or configuration that can affect authentication, authorization, tenant boundaries, storage permissions, secrets, billing, or production deployment.

OWASP Top 10 Awareness

Watch for these categories in every code change:

  1. Broken Access Control — verify role checks and tenant scoping on every endpoint and server action
  2. Cryptographic Failures — never hardcode secrets, use environment variables and proper key management
  3. Injection — parameterize all database queries; never interpolate user input into SQL, shell commands, or templates
  4. Insecure Design — validate business logic constraints server-side, not only in the UI
  5. Security Misconfiguration — review CORS, CSP, exposed headers, verbose error messages, and default credentials
  6. Vulnerable Components — audit dependencies regularly; keep frameworks and libraries updated
  7. Authentication Failures — enforce strong session management, rate limiting, and MFA where available
  8. Data Integrity Failures — verify signatures, checksums, and pipeline integrity for CI/CD and software updates
  9. Logging and Monitoring Gaps — log security events but never log secrets, tokens, or PII
  10. Server-Side Request Forgery (SSRF) — validate and restrict outbound URLs; do not allow user input to control fetch targets

Required Checks

  • Do not expose secrets, tokens, keys, signed URLs, or private customer data
  • Preserve role checks and organization/customer scoping on every mutation
  • Keep server-side validation in place — never rely solely on client-side checks
  • Avoid logging sensitive values (tokens, passwords, PII)
  • Call out any weakening of security controls explicitly in PR descriptions

Patterns to Reject

  • dangerouslySetInnerHTML with unsanitized user input
  • String concatenation in SQL queries instead of parameterized statements
  • Disabled CSRF protection without documented justification
  • Broad CORS origins (*) in production
  • Secrets committed to version control, even in "test" files

Raw content

Copy this into your project — e.g. .instructions.md, .agent.md, or SKILL.md

## Overview

Use these instructions when editing code or configuration that can affect authentication, authorization, tenant boundaries, storage permissions, secrets, billing, or production deployment.

## OWASP Top 10 Awareness

Watch for these categories in every code change:

1. **Broken Access Control** — verify role checks and tenant scoping on every endpoint and server action
2. **Cryptographic Failures** — never hardcode secrets, use environment variables and proper key management
3. **Injection** — parameterize all database queries; never interpolate user input into SQL, shell commands, or templates
4. **Insecure Design** — validate business logic constraints server-side, not only in the UI
5. **Security Misconfiguration** — review CORS, CSP, exposed headers, verbose error messages, and default credentials
6. **Vulnerable Components** — audit dependencies regularly; keep frameworks and libraries updated
7. **Authentication Failures** — enforce strong session management, rate limiting, and MFA where available
8. **Data Integrity Failures** — verify signatures, checksums, and pipeline integrity for CI/CD and software updates
9. **Logging and Monitoring Gaps** — log security events but never log secrets, tokens, or PII
10. **Server-Side Request Forgery (SSRF)** — validate and restrict outbound URLs; do not allow user input to control fetch targets

## Required Checks

- Do not expose secrets, tokens, keys, signed URLs, or private customer data
- Preserve role checks and organization/customer scoping on every mutation
- Keep server-side validation in place — never rely solely on client-side checks
- Avoid logging sensitive values (tokens, passwords, PII)
- Call out any weakening of security controls explicitly in PR descriptions

## Patterns to Reject

- `dangerouslySetInnerHTML` with unsanitized user input
- String concatenation in SQL queries instead of parameterized statements
- Disabled CSRF protection without documented justification
- Broad CORS origins (`*`) in production
- Secrets committed to version control, even in "test" files