Security Hardening Command
Security-first development workflow with threat modeling, attack surface analysis, and vulnerability remediation. Systematically hardens your application against common attack vectors with actionable fixes and security configuration templates.
Command
/harden
Description
Performs systematic security hardening of your application. Starts with threat modeling to identify attack surfaces, then applies concrete security fixes across authentication, authorization, input handling, data protection, and infrastructure configuration.
Behavior
Arguments
$ARGUMENTS-- Focus area (e.g., "authentication", "api", "database"). If empty, performs a full-scope analysis.
Hardening Phases
Phase 1: Threat Model
- Identify assets (user data, API keys, financial data)
- Map trust boundaries (client/server, internal/external, user roles)
- List attack vectors per STRIDE model:
- Spoofing: Can an attacker impersonate a user?
- Tampering: Can data be modified in transit?
- Repudiation: Can actions be denied/untraced?
- Information Disclosure: Can sensitive data leak?
- Denial of Service: Can the service be overwhelmed?
- Elevation of Privilege: Can a user gain unauthorized access?
Phase 2: Hardening Checklist
Authentication
// Password hashing (use bcrypt with cost factor 12+) import bcrypt from 'bcrypt'; const SALT_ROUNDS = 12; const hash = await bcrypt.hash(password, SALT_ROUNDS); // Session configuration app.use(session({ secret: process.env.SESSION_SECRET, resave: false, saveUninitialized: false, cookie: { httpOnly: true, secure: true, sameSite: 'strict', maxAge: 24 * 60 * 60 * 1000 // 24 hours } }));
HTTP Security Headers
// Helmet.js configuration import helmet from 'helmet'; app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], imgSrc: ["'self'", "data:", "https:"], } }, hsts: { maxAge: 31536000, includeSubDomains: true, preload: true } }));
Rate Limiting
import rateLimit from 'express-rate-limit'; const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 5, // 5 attempts message: 'Too many login attempts. Please try again later.' }); app.use('/api/auth/login', authLimiter);
Input Validation
import { z } from 'zod'; const UserInput = z.object({ email: z.string().email().max(255), name: z.string().min(1).max(100).regex(/^[a-zA-Z\s]+$/), age: z.number().int().min(13).max(150) }); // Validate: UserInput.parse(req.body)
Phase 3: Implementation
Apply each fix, run tests, and verify the hardening works.
Output Format
## Security Hardening Report ### Threat Model | Asset | Threat | Severity | Mitigation | |-------|--------|----------|------------| | User passwords | Brute force | High | Rate limiting + bcrypt | | API endpoints | Injection | Critical | Input validation + parameterized queries | | Session tokens | Theft | High | HttpOnly + Secure + SameSite cookies | ### Changes Applied 1. Added helmet.js with strict CSP 2. Implemented rate limiting on auth endpoints 3. Added Zod validation on all user inputs 4. Configured secure session cookies 5. Added CORS allowlist ### Remaining Recommendations - Enable MFA for admin accounts - Set up security event logging - Schedule dependency audits (weekly)
Examples
# Full security hardening /harden # Focus on authentication /harden authentication and session management # Focus on API security /harden api endpoints and input validation
Reviews
No reviews yet. Be the first to review this template!
Similar Templates
Git Commit Message Generator
Generates well-structured conventional commit messages by analyzing staged changes. Follows Conventional Commits spec with scope detection.
React Component Scaffolder
Scaffolds a complete React component with TypeScript types, Tailwind styles, Storybook stories, and unit tests. Follows project conventions automatically.
CI/CD Pipeline Generator
Generates GitHub Actions workflows for CI/CD including linting, testing, building, and deploying. Detects project stack automatically.