{"id":"6d36d0c4-ee2f-41ba-a89d-cdc08211acf6","shortId":"DjSj8k","kind":"skill","title":"laravel-owasp-security","tagline":"OWASP Top 10 security audit and secure coding guidelines for Laravel + React/Inertia.js applications. Use when auditing for vulnerabilities (\"run OWASP audit\", \"security review\", \"check my app security\") or writing secure Laravel code involving auth, payments, file uploads, or AP","description":"# Laravel OWASP Security\n\nDual-purpose security skill for Laravel 13 + React/Inertia.js applications. Run a full OWASP Top 10 audit against a codebase, or use as a secure coding reference when building features.\n\n## How to Audit\n\n### Step 1: Detect Stack\n\nCheck if the project uses React + Inertia.js by looking for:\n- `app/Http/Middleware/HandleInertiaRequests.php` exists\n- `resources/js/` contains `.tsx` or `.jsx` files\n- `inertiajs/inertia-laravel` in `composer.json`\n- `@inertiajs/react` in `package.json`\n\n**If detected**, state at the top of the report:\n> \"React + Inertia.js detected — Laravel OWASP checklist AND React/Inertia security checks will both be applied.\"\n\n**If not detected**, state:\n> \"No React/Inertia.js detected — applying Laravel OWASP checklist only.\"\n\n### Step 2: Determine Scope\n\n- If arguments provided (`$ARGUMENTS`): review only those files or features\n- If no arguments: review the entire codebase\n\n### Step 3: Run Checklist\n\nWork through every item below. For each, output:\n- **PASS** — brief confirmation of what was verified\n- **FAIL** — exact `file:line`, a description of the vulnerability (do NOT reproduce any code, values, API keys, tokens, or .env contents from the file), and a fix recommendation\n- **N/A** — if the check does not apply to this project\n\n---\n\n## OWASP Top 10 Checklist\n\n### 1. Broken Access Control (A01:2021)\n\n- [ ] Middleware protects all route groups by role (`auth`, `role:admin`, etc.)\n- [ ] Resource queries scoped to authenticated user — `->where('user_id', auth()->id())`\n- [ ] No direct object reference without ownership check\n- [ ] Gates and Policies used to authorize resource access\n- [ ] Frontend role checks are mirrored server-side — never rely on React UI checks alone\n\n### 2. Cryptographic Failures (A02:2021)\n\n- [ ] Passwords hashed with `Hash::make()` or `'hashed'` Eloquent cast — never stored as plaintext\n- [ ] No MD5 or SHA1 used for password hashing\n- [ ] Sensitive fields (API keys, secrets) encrypted with `Crypt::encryptString()` or `'encrypted'` Eloquent cast\n- [ ] `APP_KEY` is long, random, and unique per environment\n- [ ] Signed URLs (`URL::signedRoute()`) used for sensitive one-time actions (password reset, email verify)\n\n### 3. Injection (A03:2021)\n\n**SQL & Mass Assignment:**\n- [ ] No string concatenation in `whereRaw()`, `selectRaw()`, `orderByRaw()` — use `?` bindings\n- [ ] Column names never derived from user input without a whitelist\n- [ ] No `$request->all()` passed directly to `create()`, `fill()`, or `update()`\n- [ ] No `forceFill()` or `forceCreate()` with unvalidated user input\n- [ ] Models define `$fillable` explicitly — not `$guarded = []`\n- [ ] Controllers use `$request->validated()` for mass operations\n\n**XSS — Blade & React:**\n- [ ] No `{!! $userInput !!}` in Blade templates with untrusted data\n- [ ] `{{ }}` used for all user-supplied Blade output\n- [ ] No `dangerouslySetInnerHTML` in React without `DOMPurify.sanitize()` first\n- [ ] `href` and `src` attributes not set from unvalidated user input\n- [ ] No `eval()`, `new Function()`, or `setTimeout(string)` with user-controlled strings\n- [ ] External CDN scripts use Subresource Integrity (`integrity=\"sha384-...\"`)\n\n### 4. Insecure Design (A04:2021)\n\n- [ ] Business logic enforced server-side — prices, totals, and discounts never trusted from client input\n- [ ] Sensitive operations require secondary confirmation (e.g. password re-entry for account deletion)\n- [ ] No mass action endpoints without per-item authorization check\n- [ ] Admin-only features isolated behind separate middleware — not just hidden in the UI\n- [ ] Payment amounts and enrollment states calculated server-side, not passed as form inputs\n\n### 5. Security Misconfiguration (A05:2021)\n\n- [ ] `APP_DEBUG=false` in production\n- [ ] `.env` is in `.gitignore` and never committed\n- [ ] Database uses a restricted user — not root/admin — in production\n- [ ] `storage/` and `bootstrap/cache/` have correct permissions (not world-writable)\n- [ ] `APP_KEY` is set and unique per environment\n- [ ] CORS `allowed_origins` is not `['*']` for authenticated API routes\n\n### 6. Vulnerable & Outdated Components (A06:2021)\n\n- [ ] `composer audit` passes with no known CVEs\n- [ ] `npm audit` passes with no known CVEs\n- [ ] Laravel framework is on a supported version\n\n### 7. Identification & Authentication Failures (A07:2021)\n\n**Auth:**\n- [ ] Using Laravel Breeze, Fortify, or Jetstream — not custom-rolled auth\n- [ ] Passwords hashed with bcrypt or argon2 (Laravel default)\n- [ ] Login route rate limited — `throttle` middleware or `RateLimiter` in `LoginRequest`\n- [ ] Password reset and email verification routes rate limited\n- [ ] Payment and sensitive action routes have appropriate rate limits\n- [ ] `session()->regenerate()` called after successful login\n\n**Cookie & Session:**\n- [ ] `http_only = true` in `config/session.php`\n- [ ] `same_site = lax` or `strict` in `config/session.php`\n- [ ] `secure = true` or `null` (auto for HTTPS) in `config/session.php`\n- [ ] `lifetime` is a reasonable value (15–30 min recommended for most apps)\n- [ ] `domain = null` unless subdomains are needed\n- [ ] `EncryptCookies` middleware is in the web group\n\n### 8. Software & Data Integrity Failures (A08:2021)\n\n**CSRF:**\n- [ ] `VerifyCsrfToken` middleware active in the web group\n- [ ] Only stateless routes (webhooks, external callbacks) are excluded from CSRF\n- [ ] `@csrf` directive used in all non-Inertia POST forms\n- [ ] Excluded routes in `validateCsrfTokens(except: [...])` are justified\n\n**Deserialization:**\n- [ ] No `unserialize($request->input(...))`\n- [ ] No `eval($request->input(...))`\n- [ ] No `extract($request->all())`\n\n### 9. Security Logging & Monitoring Failures (A09:2021)\n\n- [ ] Failed login attempts logged with IP and identifier\n- [ ] Payment failures and exceptions logged\n- [ ] Log entries do not contain raw passwords or secrets\n- [ ] Monitoring in place (Laravel Telescope, Sentry, or similar)\n\n### 10. Server-Side Request Forgery — SSRF (A10:2021)\n\n- [ ] No `Http::get($request->input('url'))` with unvalidated URLs\n- [ ] User-supplied URLs validated against an allowlist or scheme check\n- [ ] Internal network addresses blocked from user-supplied URLs\n\n---\n\n## Additional Checks\n\n> Not part of the OWASP Top 10 but critical for Laravel applications.\n\n### Command Injection & Dangerous Functions\n\n- [ ] No `exec()`, `shell_exec()`, `system()`, `passthru()` with user input\n- [ ] No open redirects — no `redirect($request->input('url'))` with unvalidated URLs\n- [ ] File uploads validate `mimes:`, `max:` — filenames never derived from raw user input\n\n### Security Headers\n\n- [ ] `Content-Security-Policy` set — with nonces (`Vite::useCspNonce()`) if possible\n- [ ] `X-Frame-Options` set\n- [ ] `X-Content-Type-Options` set\n- [ ] `Strict-Transport-Security` set for HTTPS\n- [ ] `Referrer-Policy` set\n- [ ] `Permissions-Policy` set\n\n---\n\n## React + Inertia.js Checks\n\n> Only run if React + Inertia.js detected in Step 1.\n\n### R1. XSS in React Components\n\n- [ ] No `dangerouslySetInnerHTML={{ __html: userInput }}` without `DOMPurify.sanitize()` first\n- [ ] `href` and `src` attributes not set from unvalidated user input — `javascript:` URLs execute scripts\n- [ ] No `eval()`, `new Function()`, or `setTimeout(string)` with user-controlled strings\n- [ ] Links from user input validate scheme (`https://` or `http://` only)\n\n### R2. Inertia.js Data Exposure (Critical)\n\n- [ ] `HandleInertiaRequests::share()` does NOT expose passwords, tokens, or internal-only flags\n- [ ] Controllers use `->only([...])` or API Resources — not raw model `toArray()`\n- [ ] All Inertia props are treated as public — visible in `data-page` HTML attribute on initial load\n- [ ] Payment secret keys and admin-only credentials are never passed as Inertia props\n- [ ] Inertia v2 History Encryption enabled for pages with sensitive data\n\n### R3. CSRF in Inertia.js\n\n- [ ] Inertia `X-XSRF-TOKEN` header not disabled\n- [ ] Custom `fetch` or `axios` calls include CSRF token manually if bypassing Inertia's router\n- [ ] Webhook/callback routes are the ONLY CSRF-excluded routes\n\n### R4. Authentication State in React\n\n- [ ] `auth.user` Inertia prop excludes password hash, remember tokens, and 2FA secrets\n- [ ] Role/permission checks enforced server-side — React checks are UI-only\n- [ ] `auth.user` contains only fields the UI actually needs\n\n### R5. Sensitive Data in Browser\n\n- [ ] No API keys or secrets hardcoded in React components or TypeScript files\n- [ ] No sensitive data in `localStorage` or `sessionStorage` — use HttpOnly cookies\n- [ ] `VITE_*` env vars contain no secrets — they are public by design\n\n### R6. Dependency Security\n\n- [ ] `npm audit` passes with no high/critical CVEs in React or Inertia packages\n- [ ] React is on a supported version\n- [ ] Third-party component libraries reviewed for known CVEs\n\n---\n\n## Output Format\n\nStructure the audit report as:\n\n```\n## Laravel OWASP Security Audit Report\n\n> React + Inertia.js detected — Laravel OWASP checklist AND React/Inertia security checks will both be applied.\n\n### 1. Broken Access Control (A01:2021)\n- **PASS** `app/Http/Middleware/RoleMiddleware.php` — role middleware applied to all route groups\n- **FAIL** `app/Http/Controllers/PaymentController.php:42` — Payment model fetched without ownership check (direct object reference exposure). Fix: scope the query to the authenticated user.\n\n[Continue for all 10 OWASP checks + Additional Checks + R1–R6 React/Inertia checks]\n\n---\n\n## Summary\n\n### Critical Issues (fix immediately)\n1. ...\n\n### Warnings (fix soon)\n1. ...\n\n### Passed\nX checks passed.\n\n### Recommended Commands\ncomposer audit\nnpm audit\n```\n\n---\n\n## When to Apply for Guidance\n\nReference the rule files when:\n- Implementing authentication or password handling\n- Building payment or webhook integrations\n- Writing file upload or download logic\n- Designing admin or role-based access control\n- Building API endpoints with user-supplied input\n- Using `dangerouslySetInnerHTML` in React components\n- Passing data from Laravel controllers to Inertia props\n\n## Rule Categories by Priority\n\n| Priority | Category | Impact | Rule File |\n|----------|----------|--------|-----------|\n| 1 | Broken Access Control | CRITICAL | `sec-broken-access-control` |\n| 2 | Cryptographic Failures | CRITICAL | `sec-cryptographic-failures` |\n| 3 | Injection Prevention | CRITICAL | `sec-injection-prevention` |\n| 4 | XSS & React/Inertia | HIGH | `sec-xss-react-inertia` |\n| 5 | CSRF Protection | HIGH | `sec-csrf-protection` |\n| 6 | Security Misconfiguration | HIGH | `sec-security-misconfiguration` |\n| 7 | Authentication & Rate Limiting | HIGH | `sec-authentication-rate-limiting` |\n| 8 | Inertia Data Exposure | HIGH | `sec-inertia-data-exposure` |\n\n## Quick Reference\n\n### 1. Broken Access Control (CRITICAL)\n- `sec-broken-access-control` — Middleware, ownership checks, policies, scoped queries\n\n### 2. Cryptographic Failures (CRITICAL)\n- `sec-cryptographic-failures` — Password hashing, encrypted casts, signed URLs\n\n### 3. Injection Prevention (CRITICAL)\n- `sec-injection-prevention` — SQL injection, mass assignment, raw query bindings\n\n### 4. XSS & React/Inertia (HIGH)\n- `sec-xss-react-inertia` — dangerouslySetInnerHTML, DOMPurify, href/src validation\n\n### 5. CSRF Protection (HIGH)\n- `sec-csrf-protection` — VerifyCsrfToken, webhook exclusions, Inertia CSRF\n\n### 6. Security Misconfiguration (HIGH)\n- `sec-security-misconfiguration` — APP_DEBUG, APP_KEY, security headers, CORS\n\n### 7. Authentication & Rate Limiting (HIGH)\n- `sec-authentication-rate-limiting` — Throttle, session regeneration, brute force prevention\n\n### 8. Inertia Data Exposure (HIGH)\n- `sec-inertia-data-exposure` — data-page attribute exposure, secret props, API Resources\n\n## How to Use\n\nRead individual rule files for detailed explanations and code examples:\n\n```\nrules/sec-broken-access-control.md\nrules/sec-cryptographic-failures.md\nrules/sec-injection-prevention.md\nrules/sec-xss-react-inertia.md\nrules/sec-csrf-protection.md\nrules/sec-security-misconfiguration.md\nrules/sec-authentication-rate-limiting.md\nrules/sec-inertia-data-exposure.md\n```\n\nEach rule file contains:\n- YAML frontmatter with metadata (title, impact, tags)\n- Why it matters in Laravel/React context\n- Incorrect code example with explanation\n- Correct code example with fix\n- Laravel 13 and PHP 8.3+ specific context\n\n## Full Compiled Document\n\nFor the complete guide with all rules expanded: `AGENTS.md`","tags":["laravel","owasp","security","agent","skills","asyrafhussin","agent-rules","agent-skills","ai-agents","ai-slop","claude-code","code-quality"],"capabilities":["skill","source-asyrafhussin","skill-laravel-owasp-security","topic-agent-rules","topic-agent-skills","topic-ai-agents","topic-ai-slop","topic-claude-code","topic-code-quality","topic-code-review","topic-codex","topic-cursor","topic-laravel","topic-nodejs","topic-react"],"categories":["agent-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/AsyrafHussin/agent-skills/laravel-owasp-security","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add AsyrafHussin/agent-skills","source_repo":"https://github.com/AsyrafHussin/agent-skills","install_from":"skills.sh"}},"qualityScore":"0.469","qualityRationale":"deterministic score 0.47 from registry signals: · indexed on github topic:agent-skills · 39 github stars · SKILL.md body (12,456 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T18:58:24.763Z","embedding":null,"createdAt":"2026-05-16T18:57:14.513Z","updatedAt":"2026-05-18T18:58:24.763Z","lastSeenAt":"2026-05-18T18:58:24.763Z","tsv":"'1':81,225,947,1227,1280,1284,1359,1432 '10':7,62,223,809,855,1266 '13':54,1602 '15':697 '2':144,283,1369,1448 '2021':230,287,349,463,534,588,615,723,778,817,1232 '2fa':1111 '3':165,346,1377,1462 '30':698 '4':459,1385,1477 '42':1244 '5':530,1394,1490 '6':583,1402,1503 '7':610,1410,1518 '8':717,1420,1534 '8.3':1605 '9':772 'a01':229,1231 'a02':286 'a03':348 'a04':462 'a05':533 'a06':587 'a07':614 'a08':722 'a09':777 'a10':816 'access':227,267,1229,1327,1361,1367,1434,1440 'account':490 'action':341,494,657 'activ':727 'actual':1131 'addit':847,1269 'address':840 'admin':240,503,1043,1322 'admin-on':502,1042 'agents.md':1619 'allow':575 'allowlist':834 'alon':282 'amount':517 'ap':43 'api':198,311,581,1015,1139,1330,1551 'app':30,322,535,566,703,1511,1513 'app/http/controllers/paymentcontroller.php':1243 'app/http/middleware/handleinertiarequests.php':94 'app/http/middleware/rolemiddleware.php':1234 'appli':130,138,217,1226,1237,1297 'applic':17,56,860 'appropri':660 'argon2':633 'argument':148,150,159 'assign':352,1473 'attempt':781 'attribut':432,963,1034,1547 'audit':9,20,25,63,79,590,597,1175,1205,1211,1292,1294 'auth':38,238,251,616,627 'auth.user':1102,1125 'authent':246,580,612,1098,1261,1306,1411,1417,1519,1525 'author':265,500 'auto':687 'axio':1077 'base':1326 'bcrypt':631 'behind':507 'bind':361,1476 'blade':404,409,420 'block':841 'bootstrap/cache':558 'breez':619 'brief':177 'broken':226,1228,1360,1366,1433,1439 'browser':1137 'brute':1531 'build':75,1310,1329 'busi':464 'bypass':1084 'calcul':521 'call':665,1078 'callback':737 'cast':296,321,1459 'categori':1351,1355 'cdn':452 'check':28,84,126,214,259,270,281,501,837,848,938,1114,1120,1222,1250,1268,1270,1274,1287,1444 'checklist':122,141,167,224,1218 'client':477 'code':12,36,72,196,1564,1592,1597 'codebas':66,163 'column':362 'command':861,1290 'commit':546 'compil':1609 'complet':1613 'compon':586,952,1146,1195,1341 'compos':589,1291 'composer.json':104 'concaten':355 'config/session.php':675,682,691 'confirm':178,483 'contain':97,796,1126,1163,1577 'content':203,900,917 'content-security-polici':899 'context':1590,1607 'continu':1263 'control':228,396,449,984,1011,1230,1328,1346,1362,1368,1435,1441 'cooki':669,1159 'cor':574,1517 'correct':560,1596 'creat':378 'credenti':1045 'critic':857,998,1276,1363,1372,1380,1436,1451,1465 'crypt':316 'cryptograph':284,1370,1375,1449,1454 'csrf':724,741,742,1063,1080,1094,1395,1400,1491,1496,1502 'csrf-exclud':1093 'custom':625,1074 'custom-rol':624 'cves':595,602,1180,1200 'danger':863 'dangerouslysetinnerhtml':423,954,1338,1486 'data':413,719,996,1031,1061,1135,1152,1343,1422,1428,1536,1542,1545 'data-pag':1030,1544 'databas':547 'debug':536,1512 'default':635 'defin':391 'delet':491 'depend':1172 'deriv':365,892 'descript':188 'deseri':759 'design':461,1170,1321 'detail':1561 'detect':82,109,119,133,137,944,1215 'determin':145 'direct':254,376,743,1251 'disabl':1073 'discount':473 'document':1610 'domain':704 'dompurifi':1487 'dompurify.sanitize':427,958 'download':1319 'dual':48 'dual-purpos':47 'e.g':484 'eloqu':295,320 'email':344,649 'enabl':1056 'encrypt':314,319,1055,1458 'encryptcooki':710 'encryptstr':317 'endpoint':495,1331 'enforc':466,1115 'enrol':519 'entir':162 'entri':488,793 'env':202,540,1161 'environ':330,573 'etc':241 'eval':440,765,975 'everi':170 'exact':184 'exampl':1565,1593,1598 'except':756,790 'exclud':739,752,1095,1105 'exclus':1500 'exec':866,868 'execut':972 'exist':95 'expand':1618 'explan':1562,1595 'explicit':393 'expos':1003 'exposur':997,1254,1423,1429,1537,1543,1548 'extern':451,736 'extract':769 'fail':183,779,1242 'failur':285,613,721,776,788,1371,1376,1450,1455 'fals':537 'featur':76,156,505 'fetch':1075,1247 'field':310,1128 'file':40,101,154,185,206,885,1149,1303,1316,1358,1559,1576 'filenam':890 'fill':379 'fillabl':392 'first':428,959 'fix':209,1255,1278,1282,1600 'flag':1010 'forc':1532 'forcecr':385 'forcefil':383 'forgeri':814 'form':528,751 'format':1202 'fortifi':620 'frame':912 'framework':604 'frontend':268 'frontmatt':1579 'full':59,1608 'function':442,864,977 'gate':260 'get':820 'gitignor':543 'group':235,716,731,1241 'guard':395 'guid':1614 'guidanc':1299 'guidelin':13 'handl':1309 'handleinertiarequest':999 'hardcod':1143 'hash':289,291,294,308,629,1107,1457 'header':898,1071,1516 'hidden':512 'high':1388,1397,1405,1414,1424,1480,1493,1506,1522,1538 'high/critical':1179 'histori':1054 'href':429,960 'href/src':1488 'html':955,1033 'http':671,819 'httpon':1158 'https':689,927 'id':250,252 'identif':611 'identifi':786 'immedi':1279 'impact':1356,1583 'implement':1305 'includ':1079 'incorrect':1591 'individu':1557 'inertia':749,1022,1050,1052,1066,1085,1103,1184,1348,1393,1421,1427,1485,1501,1535,1541 'inertia.js':90,118,937,943,995,1065,1214 'inertiajs/inertia-laravel':102 'inertiajs/react':105 'initi':1036 'inject':347,862,1378,1383,1463,1468,1471 'input':368,389,438,478,529,763,767,822,873,880,896,969,989,1336 'insecur':460 'integr':456,457,720,1314 'intern':838,1008 'internal-on':1007 'involv':37 'ip':784 'isol':506 'issu':1277 'item':171,499 'javascript':970 'jetstream':622 'jsx':100 'justifi':758 'key':199,312,323,567,1040,1140,1514 'known':594,601,1199 'laravel':2,15,35,44,53,120,139,603,618,634,804,859,1208,1216,1345,1601 'laravel-owasp-secur':1 'laravel/react':1589 'lax':678 'librari':1196 'lifetim':692 'limit':639,653,662,1413,1419,1521,1527 'line':186 'link':986 'load':1037 'localstorag':1154 'log':774,782,791,792 'logic':465,1320 'login':636,668,780 'loginrequest':645 'long':325 'look':92 'make':292 'manual':1082 'mass':351,401,493,1472 'matter':1587 'max':889 'md5':302 'metadata':1581 'middlewar':231,509,641,711,726,1236,1442 'mime':888 'min':699 'mirror':272 'misconfigur':532,1404,1409,1505,1510 'model':390,1019,1246 'monitor':775,801 'n/a':211 'name':363 'need':709,1132 'network':839 'never':276,297,364,474,545,891,1047 'new':441,976 'non':748 'non-inertia':747 'nonc':905 'npm':596,1174,1293 'null':686,705 'object':255,1252 'one':339 'one-tim':338 'open':875 'oper':402,480 'option':913,919 'orderbyraw':359 'origin':576 'outdat':585 'output':175,421,1201 'owasp':3,5,24,45,60,121,140,221,853,1209,1217,1267 'ownership':258,1249,1443 'packag':1185 'package.json':107 'page':1032,1058,1546 'part':850 'parti':1194 'pass':176,375,526,591,598,1048,1176,1233,1285,1288,1342 'passthru':870 'password':288,307,342,485,628,646,798,1004,1106,1308,1456 'payment':39,516,654,787,1038,1245,1311 'per':329,498,572 'per-item':497 'permiss':561,933 'permissions-polici':932 'php':1604 'place':803 'plaintext':300 'polici':262,902,930,934,1445 'possibl':909 'post':750 'prevent':1379,1384,1464,1469,1533 'price':470 'prioriti':1353,1354 'product':539,555 'project':87,220 'prop':1023,1051,1104,1349,1550 'protect':232,1396,1401,1492,1497 'provid':149 'public':1027,1168 'purpos':49 'queri':243,1258,1447,1475 'quick':1430 'r1':948,1271 'r2':994 'r3':1062 'r4':1097 'r5':1133 'r6':1171,1272 'random':326 'rate':638,652,661,1412,1418,1520,1526 'ratelimit':643 'raw':797,894,1018,1474 're':487 're-entri':486 'react':89,117,279,405,425,936,942,951,1101,1119,1145,1182,1186,1213,1340,1392,1484 'react/inertia':124,1220,1273,1387,1479 'react/inertia.js':16,55,136 'read':1556 'reason':695 'recommend':210,700,1289 'redirect':876,878 'refer':73,256,1253,1300,1431 'referr':929 'referrer-polici':928 'regener':664,1530 'reli':277 'rememb':1108 'report':116,1206,1212 'reproduc':194 'request':373,398,762,766,770,813,821,879 'requir':481 'reset':343,647 'resourc':242,266,1016,1552 'resources/js':96 'restrict':550 'review':27,151,160,1197 'role':237,239,269,1235,1325 'role-bas':1324 'role/permission':1113 'roll':626 'root/admin':553 'rout':234,582,637,651,658,734,753,1089,1096,1240 'router':1087 'rule':1302,1350,1357,1558,1575,1617 'rules/sec-authentication-rate-limiting.md':1572 'rules/sec-broken-access-control.md':1566 'rules/sec-cryptographic-failures.md':1567 'rules/sec-csrf-protection.md':1570 'rules/sec-inertia-data-exposure.md':1573 'rules/sec-injection-prevention.md':1568 'rules/sec-security-misconfiguration.md':1571 'rules/sec-xss-react-inertia.md':1569 'run':23,57,166,940 'scheme':836,991 'scope':146,244,1256,1446 'script':453,973 'sec':1365,1374,1382,1390,1399,1407,1416,1426,1438,1453,1467,1482,1495,1508,1524,1540 'sec-authentication-rate-limit':1415,1523 'sec-broken-access-control':1364,1437 'sec-cryptographic-failur':1373,1452 'sec-csrf-protect':1398,1494 'sec-inertia-data-exposur':1425,1539 'sec-injection-prevent':1381,1466 'sec-security-misconfigur':1406,1507 'sec-xss-react-inertia':1389,1481 'secondari':482 'secret':313,800,1039,1112,1142,1165,1549 'secur':4,8,11,26,31,34,46,50,71,125,531,683,773,897,901,924,1173,1210,1221,1403,1408,1504,1509,1515 'selectraw':358 'sensit':309,337,479,656,1060,1134,1151 'sentri':806 'separ':508 'server':274,468,523,811,1117 'server-sid':273,467,522,810,1116 'session':663,670,1529 'sessionstorag':1156 'set':434,569,903,914,920,925,931,935,965 'settimeout':444,979 'sha1':304 'sha384':458 'share':1000 'shell':867 'side':275,469,524,812,1118 'sign':331,1460 'signedrout':334 'similar':808 'site':677 'skill':51 'skill-laravel-owasp-security' 'softwar':718 'soon':1283 'source-asyrafhussin' 'specif':1606 'sql':350,1470 'src':431,962 'ssrf':815 'stack':83 'state':110,134,520,1099 'stateless':733 'step':80,143,164,946 'storag':556 'store':298 'strict':680,922 'strict-transport-secur':921 'string':354,445,450,980,985 'structur':1203 'subdomain':707 'subresourc':455 'success':667 'summari':1275 'suppli':419,829,845,1335 'support':608,1190 'system':869 'tag':1584 'telescop':805 'templat':410 'third':1193 'third-parti':1192 'throttl':640,1528 'time':340 'titl':1582 'toarray':1020 'token':200,1005,1070,1081,1109 'top':6,61,113,222,854 'topic-agent-rules' 'topic-agent-skills' 'topic-ai-agents' 'topic-ai-slop' 'topic-claude-code' 'topic-code-quality' 'topic-code-review' 'topic-codex' 'topic-cursor' 'topic-laravel' 'topic-nodejs' 'topic-react' 'total':471 'transport':923 'treat':1025 'true':673,684 'trust':475 'tsx':98 'type':918 'typescript':1148 'ui':280,515,1123,1130 'ui-on':1122 'uniqu':328,571 'unless':706 'unseri':761 'untrust':412 'unvalid':387,436,825,883,967 'updat':381 'upload':41,886,1317 'url':332,333,823,826,830,846,881,884,971,1461 'use':18,68,88,263,305,335,360,397,414,454,548,617,744,1012,1157,1337,1555 'usecspnonc':907 'user':247,249,367,388,418,437,448,551,828,844,872,895,968,983,988,1262,1334 'user-control':447,982 'user-suppli':417,827,843,1333 'userinput':407,956 'v2':1053 'valid':399,831,887,990,1489 'validatecsrftoken':755 'valu':197,696 'var':1162 'verif':650 'verifi':182,345 'verifycsrftoken':725,1498 'version':609,1191 'visibl':1028 'vite':906,1160 'vulner':22,191,584 'warn':1281 'web':715,730 'webhook':735,1313,1499 'webhook/callback':1088 'whereraw':357 'whitelist':371 'without':257,369,426,496,957,1248 'work':168 'world':564 'world-writ':563 'writabl':565 'write':33,1315 'x':911,916,1068,1286 'x-content-type-opt':915 'x-frame-opt':910 'x-xsrf-token':1067 'xsrf':1069 'xss':403,949,1386,1391,1478,1483 'yaml':1578","prices":[{"id":"e2bfdcf8-bfa1-4980-b86c-2777d95ffa70","listingId":"6d36d0c4-ee2f-41ba-a89d-cdc08211acf6","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"AsyrafHussin","category":"agent-skills","install_from":"skills.sh"},"createdAt":"2026-05-16T18:57:14.513Z"}],"sources":[{"listingId":"6d36d0c4-ee2f-41ba-a89d-cdc08211acf6","source":"github","sourceId":"AsyrafHussin/agent-skills/laravel-owasp-security","sourceUrl":"https://github.com/AsyrafHussin/agent-skills/tree/main/skills/laravel-owasp-security","isPrimary":false,"firstSeenAt":"2026-05-16T18:57:14.513Z","lastSeenAt":"2026-05-18T18:58:24.763Z"}],"details":{"listingId":"6d36d0c4-ee2f-41ba-a89d-cdc08211acf6","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"AsyrafHussin","slug":"laravel-owasp-security","github":{"repo":"AsyrafHussin/agent-skills","stars":39,"topics":["agent-rules","agent-skills","ai-agents","ai-slop","claude-code","code-quality","code-review","codex","cursor","laravel","nodejs","react","technical-debt","typescript","windsurf"],"license":"mit","html_url":"https://github.com/AsyrafHussin/agent-skills","pushed_at":"2026-05-16T19:24:02Z","description":"Agent skills for AI coding agents (Claude Code, Cursor, Codex, Windsurf) — Laravel, React, TypeScript, MySQL, code quality, technical debt, documentation, and security.","skill_md_sha":"3d2bc69b913666e6cb00f3fd939c9155be99d421","skill_md_path":"skills/laravel-owasp-security/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/AsyrafHussin/agent-skills/tree/main/skills/laravel-owasp-security"},"layout":"multi","source":"github","category":"agent-skills","frontmatter":{"name":"laravel-owasp-security","license":"MIT","description":"OWASP Top 10 security audit and secure coding guidelines for Laravel + React/Inertia.js applications. Use when auditing for vulnerabilities (\"run OWASP audit\", \"security review\", \"check my app security\") or writing secure Laravel code involving auth, payments, file uploads, or API design. Triggers on security-related tasks, payment handling, authentication, or any request to audit a Laravel codebase."},"skills_sh_url":"https://skills.sh/AsyrafHussin/agent-skills/laravel-owasp-security"},"updatedAt":"2026-05-18T18:58:24.763Z"}}