Authorization

springboot-security is a practical Spring Boot security guide for authentication, authorization, validation, CSRF/CORS, secrets, headers, rate limiting, and dependency checks. Use the springboot-security skill for Security Audit work or to harden a Java service with fewer security misconfiguration risks.

The exploiting-jwt-algorithm-confusion-attack skill helps Security Audit workflows test JWT algorithm confusion, including RS256-to-HS256 downgrades, alg:none bypasses, and kid/jku/x5u header tricks. It is backed by a practical guide, reference examples, and a script for repeatable validation.

exploiting-idor-vulnerabilities helps authorized security audits test Insecure Direct Object Reference flaws across APIs, web apps, and multi-tenant systems with cross-session checks, object mapping, and read/write verification.

oauth helps you implement and troubleshoot OAuth 2.0/2.1 in Fastify apps for login, access tokens, PKCE, refresh tokens, and route protection. Use it as an oauth guide for backend development when you need practical oauth usage, install steps, and help resolving redirect URI, scope, CSRF, or token validation issues.

The exploiting-broken-function-level-authorization skill helps security auditors test APIs for Broken Function Level Authorization (BFLA). It focuses on discovering privileged endpoints, checking low-privilege access, and validating method or path bypasses with practical, evidence-based workflow guidance.

detecting-api-enumeration-attacks helps Security Audit teams detect API probing, BOLA, and IDOR by analyzing sequential IDs, 404 bursts, authorization failures, and docs discovery paths. It is built for log-driven detection guidance, rule drafting, and practical review of API abuse patterns.

The configuring-oauth2-authorization-flow skill helps you design and validate OAuth 2.0 authorization setups for Access Control, with Authorization Code + PKCE, Client Credentials, and Device Authorization Grant. Use this configuring-oauth2-authorization-flow guide to choose grants, set redirect URIs, review scopes, and align with OAuth 2.1 best practices.

building-role-mining-for-rbac-optimization is a cybersecurity skill for analyzing user-permission data, reducing role explosion, and building cleaner RBAC roles with bottom-up and top-down role mining for Access Control. Use it to compare candidate roles, validate least-privilege outcomes, and turn raw assignments into an actionable role plan.

building-identity-governance-lifecycle-process helps design identity governance and lifecycle management for joiner-mover-leaver automation, access reviews, role-based provisioning, and orphaned account cleanup. It fits cross-system Access Control programs that need practical workflow guidance, not a generic policy draft.

security skill for OWASP patterns, secrets management, and security testing. Use it to review auth, user input, API keys, env vars, and repo hygiene, especially for Security Audit work.