---
name: security-lens
description: Apply security awareness during code review and implementation. Catches common vulnerabilities without requiring full security audit.
allowed-tools:
  - Read
  - Grep
  - Glob
---

# Security Awareness Lens

When reviewing or writing code, check for:

## Input Handling

- [ ] User input validated before use
- [ ] SQL uses parameterized queries (never string concat)
- [ ] HTML output escaped to prevent XSS
- [ ] File paths validated (no path traversal)

## Authentication/Authorization

- [ ] Auth checks at controller level, not just UI
- [ ] Sensitive operations re-verify permissions
- [ ] Session tokens are httpOnly, secure, sameSite

## Data Exposure

- [ ] Logs don't contain secrets, tokens, PII
- [ ] Error messages don't leak internal details
- [ ] API responses don't include unnecessary fields

## Secrets

- [ ] No hardcoded credentials
- [ ] Secrets from environment/vault, not config files
- [ ] .gitignore covers .env, credentials

See @owasp-quick-ref.md for detailed vulnerability patterns.