mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-03-30 21:53:28 +08:00
40f18885b1
* feat(rules): add C# language support * feat: add everything-claude-code ECC bundle (#705) * feat: add everything-claude-code ECC bundle (.claude/ecc-tools.json) * feat: add everything-claude-code ECC bundle (.claude/skills/everything-claude-code/SKILL.md) * feat: add everything-claude-code ECC bundle (.agents/skills/everything-claude-code/SKILL.md) * feat: add everything-claude-code ECC bundle (.agents/skills/everything-claude-code/agents/openai.yaml) * feat: add everything-claude-code ECC bundle (.claude/identity.json) * feat: add everything-claude-code ECC bundle (.codex/agents/explorer.toml) * feat: add everything-claude-code ECC bundle (.codex/agents/reviewer.toml) * feat: add everything-claude-code ECC bundle (.codex/agents/docs-researcher.toml) * feat: add everything-claude-code ECC bundle (.claude/rules/everything-claude-code-guardrails.md) * feat: add everything-claude-code ECC bundle (.claude/research/everything-claude-code-research-playbook.md) * feat: add everything-claude-code ECC bundle (.claude/team/everything-claude-code-team-config.json) * feat: add everything-claude-code ECC bundle (.claude/enterprise/controls.md) * feat: add everything-claude-code ECC bundle (.claude/commands/database-migration.md) * feat: add everything-claude-code ECC bundle (.claude/commands/feature-development.md) * feat: add everything-claude-code ECC bundle (.claude/commands/add-language-rules.md) --------- Co-authored-by: ecc-tools[bot] <257055122+ecc-tools[bot]@users.noreply.github.com> * ci: retrigger --------- Co-authored-by: ecc-tools[bot] <257055122+ecc-tools[bot]@users.noreply.github.com>
59 lines
1.7 KiB
Markdown
59 lines
1.7 KiB
Markdown
---
|
|
paths:
|
|
- "**/*.cs"
|
|
- "**/*.csx"
|
|
- "**/*.csproj"
|
|
- "**/appsettings*.json"
|
|
---
|
|
# C# Security
|
|
|
|
> This file extends [common/security.md](../common/security.md) with C#-specific content.
|
|
|
|
## Secret Management
|
|
|
|
- Never hardcode API keys, tokens, or connection strings in source code
|
|
- Use environment variables, user secrets for local development, and a secret manager in production
|
|
- Keep `appsettings.*.json` free of real credentials
|
|
|
|
```csharp
|
|
// BAD
|
|
const string ApiKey = "sk-live-123";
|
|
|
|
// GOOD
|
|
var apiKey = builder.Configuration["OpenAI:ApiKey"]
|
|
?? throw new InvalidOperationException("OpenAI:ApiKey is not configured.");
|
|
```
|
|
|
|
## SQL Injection Prevention
|
|
|
|
- Always use parameterized queries with ADO.NET, Dapper, or EF Core
|
|
- Never concatenate user input into SQL strings
|
|
- Validate sort fields and filter operators before using dynamic query composition
|
|
|
|
```csharp
|
|
const string sql = "SELECT * FROM Orders WHERE CustomerId = @customerId";
|
|
await connection.QueryAsync<Order>(sql, new { customerId });
|
|
```
|
|
|
|
## Input Validation
|
|
|
|
- Validate DTOs at the application boundary
|
|
- Use data annotations, FluentValidation, or explicit guard clauses
|
|
- Reject invalid model state before running business logic
|
|
|
|
## Authentication and Authorization
|
|
|
|
- Prefer framework auth handlers instead of custom token parsing
|
|
- Enforce authorization policies at endpoint or handler boundaries
|
|
- Never log raw tokens, passwords, or PII
|
|
|
|
## Error Handling
|
|
|
|
- Return safe client-facing messages
|
|
- Log detailed exceptions with structured context server-side
|
|
- Do not expose stack traces, SQL text, or filesystem paths in API responses
|
|
|
|
## References
|
|
|
|
See skill: `security-review` for broader application security review checklists.
|