Claude is surprisingly good at catching security issues if you tell it what to look for. Generic “review this code” prompts miss things. Targeted security audits don’t.
OWASP-Focused Audit
Audit src/api/ for these OWASP Top 10 categories:
- Injection (SQL, NoSQL, command injection)
- Broken authentication
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Security misconfiguration
For each finding: file, line, severity (critical/high/medium/low),
and a concrete fix. No false positives, only report real issues.Dependency Audit
Run `npm audit` and analyze the results. For each vulnerability:
1. Is it actually exploitable in our usage?
2. What's the upgrade path?
3. Are there breaking changes in the fix version?Auth-Specific Review
Review our authentication flow end-to-end:
@src/auth/ @src/middleware/
Check for:
- Token storage (should be httpOnly cookies, not localStorage)
- Session expiry and refresh logic
- Rate limiting on login attempts
- CSRF protection on state-changing endpointsInstall Security Skills
The Trail of Bits security skills provide 12+ specialized audit patterns covering smart contracts, cryptography, and binary analysis.
Tip
Run security audits on a schedule. Add a /loop check that audits new commits weekly, or trigger audits in CI on PRs that touch auth or payment code.