Security Expert
The Security Expert agent specializes in application security, authentication, and protecting against vulnerabilities.
Expertise Areas#
- Authentication - JWT, OAuth 2.0, SAML, passwordless
- Authorization - RBAC, ABAC, permissions
- OWASP Top 10 - XSS, CSRF, injection, etc.
- Encryption - At rest, in transit, key management
- Security Headers - CSP, HSTS, X-Frame-Options
- API Security - Rate limiting, API keys, scopes
- Compliance - GDPR, HIPAA, SOC 2
Usage Examples#
Security Audit#
Use the security-expert agent to review this authentication code for vulnerabilities.
Response includes:
- Vulnerability identification
- Risk assessment
- Remediation steps
- Best practice recommendations
Auth Implementation#
Use the security-expert agent to implement OAuth 2.0 with PKCE for a SPA.
Response includes:
- Flow implementation
- Token handling
- Security considerations
- Error handling
Input Validation#
Use the security-expert agent to create a secure input validation layer.
Response includes:
- Validation schemas
- Sanitization functions
- Error messages
- Edge case handling
OWASP Top 10 Coverage#
1. Injection#
- SQL injection prevention
- NoSQL injection
- Command injection
- LDAP injection
2. Broken Authentication#
- Secure session management
- Password policies
- MFA implementation
- Brute force protection
3. Sensitive Data Exposure#
- Encryption at rest
- TLS configuration
- Data masking
- Secure key storage
4. XML External Entities (XXE)#
- Parser configuration
- Input validation
- Entity expansion limits
5. Broken Access Control#
- Authorization checks
- IDOR prevention
- Privilege escalation
- Directory traversal
6. Security Misconfiguration#
- Default credentials
- Error handling
- Security headers
- Unnecessary features
7. Cross-Site Scripting (XSS)#
- Output encoding
- CSP headers
- DOM sanitization
- Template escaping
8. Insecure Deserialization#
- Input validation
- Integrity checks
- Type checking
- Allowlists
9. Using Components with Known Vulnerabilities#
- Dependency scanning
- Version management
- Security advisories
- Update strategies
10. Insufficient Logging & Monitoring#
- Audit logging
- Alerting
- Incident response
- Log protection
Security Patterns#
Authentication Middleware#
1// Secure JWT verification
2import { verify } from 'jsonwebtoken';
3
4export const authenticate = async (req, res, next) => {
5 try {
6 const token = req.headers.authorization?.replace('Bearer ', '');
7
8 if (!token) {
9 throw new UnauthorizedError('No token provided');
10 }
11
12 // Verify with algorithm restriction
13 const payload = verify(token, process.env.JWT_SECRET, {
14 algorithms: ['HS256'],
15 issuer: 'your-app',
16 audience: 'your-api',
17 });
18
19 // Check token blacklist (for logout)
20 const isBlacklisted = await redis.get(`blacklist:${token}`);
21 if (isBlacklisted) {
22 throw new UnauthorizedError('Token revoked');
23 }
24
25 req.user = payload;
26 next();
27 } catch (error) {
28 next(new UnauthorizedError('Invalid token'));
29 }
30};Password Hashing#
1import { hash, compare } from 'bcrypt';
2
3const SALT_ROUNDS = 12;
4
5export async function hashPassword(password: string): Promise<string> {
6 // Validate password strength first
7 if (!isStrongPassword(password)) {
8 throw new ValidationError('Password does not meet requirements');
9 }
10 return hash(password, SALT_ROUNDS);
11}
12
13export async function verifyPassword(
14 password: string,
15 hashedPassword: string
16): Promise<boolean> {
17 return compare(password, hashedPassword);
18}Security Headers#
1// Helmet configuration
2app.use(helmet({
3 contentSecurityPolicy: {
4 directives: {
5 defaultSrc: ["'self'"],
6 scriptSrc: ["'self'", "'strict-dynamic'"],
7 styleSrc: ["'self'", "'unsafe-inline'"],
8 imgSrc: ["'self'", "data:", "https:"],
9 connectSrc: ["'self'", "https://api.example.com"],
10 fontSrc: ["'self'"],
11 objectSrc: ["'none'"],
12 frameAncestors: ["'none'"],
13 upgradeInsecureRequests: [],
14 },
15 },
16 hsts: {
17 maxAge: 31536000,
18 includeSubDomains: true,
19 preload: true,
20 },
21 referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
22}));Rate Limiting#
1import rateLimit from 'express-rate-limit';
2import RedisStore from 'rate-limit-redis';
3
4// General API rate limit
5export const apiLimiter = rateLimit({
6 store: new RedisStore({ client: redisClient }),
7 windowMs: 15 * 60 * 1000, // 15 minutes
8 max: 100,
9 message: { error: 'Too many requests' },
10 standardHeaders: true,
11 legacyHeaders: false,
12});
13
14// Strict limit for auth endpoints
15export const authLimiter = rateLimit({
16 store: new RedisStore({ client: redisClient }),
17 windowMs: 60 * 60 * 1000, // 1 hour
18 max: 5,
19 message: { error: 'Too many login attempts' },
20 skipSuccessfulRequests: true,
21});Sample Prompts#
| Task | Prompt |
|---|---|
| Security audit | "Review this code for security vulnerabilities" |
| Auth system | "Implement secure password reset flow" |
| API security | "Add API key authentication with rate limiting" |
| Data protection | "Encrypt sensitive user data at rest" |
| CORS setup | "Configure CORS for a production SPA" |
Security Checklist#
The Security Expert can generate checklists for:
- Authentication security
- Authorization controls
- Input validation
- Output encoding
- Error handling
- Logging and monitoring
- Dependency security
- Infrastructure security
- Data protection
- Session management
Configuration#
1// bootspring.config.js
2module.exports = {
3 agents: {
4 customInstructions: {
5 'security-expert': `
6 - Follow OWASP guidelines
7 - Assume all input is malicious
8 - Use principle of least privilege
9 - Implement defense in depth
10 - Log security events
11 `,
12 },
13 },
14 quality: {
15 gates: ['security'],
16 security: {
17 checks: ['dependencies', 'secrets', 'owasp'],
18 },
19 },
20};Related Agents#
- Backend Expert - Server security
- DevOps Expert - Infrastructure security
- API Expert - API security patterns