/security-basics

internal

Category:: Internal Skills

What it is

OWASP Top 10 prevention patterns, input validation at system boundaries, environment-based secrets management, and CORS/CSRF configuration.

Called by

/gaia-dev-story (security-aware implementation)
/gaia-review-security
All stack dev agents

What it does

Covers each OWASP Top 10 category with prevention patterns and code examples.

Defines input validation rules at system boundaries (sanitize, parameterize, validate).

Documents secrets management: environment variables, vault integration, never in code.

Provides CORS and CSRF configuration guidance.

When you will see it surface

Security review findings reference OWASP categories defined here.
When /gaia-dev-story implements authentication or data handling, these patterns guide the approach.

Technical notes

Deny by default -- require explicit grants for each resource.
Use parameterized queries for all database operations.
Hash passwords with bcrypt (cost factor >= 12) or argon2.