security (6 lessons)

Building a Codebase Review Skill

A structured review skill turns the ad-hoc "look at this code and tell me what's wrong" request into a repeatable, evidence-based audit that produces the same quality of findings regardless of who runs it or when. The skill's value comes from its taxonomy of problem categories (derived from real iss...

Certification 2026-05-13 security

Content Security Policy for Static Sites

A Content Security Policy (CSP) is achievable on a static site without server-side headers by using a `<meta>` tag. The challenge is crafting a policy that's strict enough to block XSS but permissive enough to allow legitimate functionality — especially ES module imports from CDNs and inline styles...

Certification 2026-05-13 security

XML Entity Encoding Pitfalls

XML entity encoding bugs (`Q&A` vs `Q&amp;A`) are the most common class of data corruption in XML content pipelines. They're invisible in many editors, they pass casual visual inspection, and they cause parse failures that manifest as "the file won't load" with no useful error message. Any pipeline...

Certification 2026-05-13 security

XSS in Trusted-Data Applications

Using `innerHTML` to render content from "your own" data files (XML, JSON, markdown) is an XSS vulnerability even when the data is self-authored today. The threat model changes when the data pipeline changes: content contributions, bulk imports from external sources, or AI-generated content can all...

Certification 2026-05-13 security