SKILL

Security Checklist

Reference document for monopoly security-checklist.

Published by @sickn33 and contributors·from sickn33/antigravity-awesome-skills·0 agent reads / 30d·0 saves·

MONOPOLY — Security Hardening Checklist

Network Security

  • All services inside private VPC; only LB/API GW exposed publicly
  • Security groups follow least-privilege (deny all, allow specific ports/CIDRs)
  • NACLs as secondary defense layer
  • WAF enabled with OWASP top 10 ruleset
  • DDoS protection (Cloudflare / AWS Shield Standard minimum)
  • VPN or Private Link for inter-service communication in multi-region

Authentication & Authorization

  • JWT tokens with short expiry (15 min access, 7 day refresh)
  • OAuth 2.0 / OIDC for third-party auth
  • MFA enforced for admin accounts
  • RBAC or ABAC for authorization
  • No secrets in JWT payload (use opaque references)
  • Token revocation strategy (Redis blocklist or short TTL)

API Security

  • Rate limiting at API gateway (per user, per IP, per endpoint)
  • Input validation and sanitization on all endpoints
  • SQL injection prevention (parameterized queries, ORM)
  • XSS prevention (output encoding, CSP headers)
  • CSRF protection (SameSite cookies, CSRF tokens)
  • CORS policy locked down (not wildcard *)
  • HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options)

Data Security

  • Encryption in transit (TLS 1.2+ everywhere, TLS 1.3 preferred)
  • Encryption at rest (AES-256 for DBs, S3 SSE)
  • PII data identified, minimized, and encrypted at field level where needed
  • Database backups encrypted
  • No sensitive data in logs (PII, passwords, tokens, card numbers)

Secrets Management

  • No secrets in code or environment variables in plain text
  • Secrets manager in use (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager)
  • Secrets rotation automated
  • IAM roles for service-to-service auth (not static credentials)

Supply Chain & Dependencies

  • Dependency scanning (Snyk, Dependabot, npm audit)
  • Container image scanning (Trivy, ECR scanning)
  • Pin dependency versions in production
  • SBOM (Software Bill of Materials) generated for compliance

Incident Response

  • Audit logs for all admin actions and data access
  • Alerting on anomalous access patterns
  • Incident response runbook documented
  • Data breach notification process defined (GDPR 72-hour rule)
  • Regular penetration testing scheduled

Compliance (as applicable)

  • GDPR: data residency, right to deletion, consent tracking
  • PCI-DSS: if handling card data — never store raw PANs
  • HIPAA: if health data — encryption, audit logs, BAA with vendors
  • SOC 2 Type II: access control, availability, confidentiality evidence

Limitations

  • This is a reference document and may not cover all edge cases. Always verify architectures before production.

Bundled with this artifact

2 files

Reference files that ship alongside this artifact. Agents pull these in only when the task needs them.

More on the bench

SKILL0

Zustand Store Ts

Create Zustand stores following established patterns with proper TypeScript types and middleware.

sickn33 and contributors
ai-prompt-engineering+3
0
SKILL0

Zoom Automation

Automate Zoom meeting creation, management, recordings, webinars, and participant tracking via Rube MCP (Composio). Always search tools first for current schemas.

sickn33 and contributors
ai-prompt-engineering+3
0
SKILL0

Zoho Crm Automation

Automate Zoho CRM tasks via Rube MCP (Composio): create/update records, search contacts, manage leads, and convert leads. Always search tools first for current schemas.

sickn33 and contributors
ai-prompt-engineering+3
0