Spark
Sign In
Skill

Harden production systems with security checklist

Comprehensive security hardening checklist covering network, auth, API, data, secrets, supply chain, and compliance controls.

Get skill
Works with cloudflareawsredisvaultsnyk
Antigravity
Maintainer?
56
Spark score
out of 100
Updated 2 days ago
Version 13.1.0
Add to Favorites

Why it matters

Systematically secure cloud infrastructure and applications by validating network isolation, authentication controls, API protections, encryption, secrets management, and compliance requirements before production deployment.

Outcomes

What it gets done

01

Lock down network perimeter with VPC isolation, security groups, WAF rules, and DDoS protection

02

Enforce authentication best practices including JWT expiry, MFA, RBAC, and token revocation

03

Protect APIs from injection, XSS, CSRF attacks with rate limiting and input validation

04

Encrypt data in transit and at rest while managing secrets through automated rotation

Install

Add it to your toolbox

Run in your project directory:

curl -fsSL https://spark.entire.vc/get/ag-security-checklist | bash

Capabilities

What this skill does

Audit access

Reviews permissions and logs to flag unauthorized activity.

Manage secrets

Stores, rotates, and injects API keys and credentials.

Scan for vulnerabilities

Scans code or infrastructure for security vulnerabilities.

Review code

Analyzes code for bugs, style issues, and improvements.

Overview

MONOPOLY - Security Hardening Checklist

What it does

A production-ready security hardening checklist organized into eight domains: network security (VPC, security groups, WAF, DDoS protection), authentication and authorization (JWT, OAuth 2.0, MFA, RBAC), API security (rate limiting, input validation, injection prevention, security headers), data security (TLS 1.2+, AES-256 encryption, PII protection), secrets management (Vault, AWS Secrets Manager, automated rotation), supply chain (dependency scanning, container scanning, SBOM), incident response (audit logs, alerting, runbooks), and compliance (GDPR, PCI-DSS, HIPAA, SOC 2 Type II).

How it connects

Use this checklist when hardening a system before production deployment, conducting security audits, preparing for compliance assessments, or establishing baseline security controls across your infrastructure and application stack.

Source README

MONOPOLY - Security Hardening Checklist

Network Security

  • All services inside private VPC; only LB/API GW exposed publicly
  • Security groups follow least-privilege (deny all, allow specific ports/CIDRs)
  • NACLs as secondary defense layer
  • WAF enabled with OWASP top 10 ruleset
  • DDoS protection (Cloudflare / AWS Shield Standard minimum)
  • VPN or Private Link for inter-service communication in multi-region

Authentication & Authorization

  • JWT tokens with short expiry (15 min access, 7 day refresh)
  • OAuth 2.0 / OIDC for third-party auth
  • MFA enforced for admin accounts
  • RBAC or ABAC for authorization
  • No secrets in JWT payload (use opaque references)
  • Token revocation strategy (Redis blocklist or short TTL)

API Security

  • Rate limiting at API gateway (per user, per IP, per endpoint)
  • Input validation and sanitization on all endpoints
  • SQL injection prevention (parameterized queries, ORM)
  • XSS prevention (output encoding, CSP headers)
  • CSRF protection (SameSite cookies, CSRF tokens)
  • CORS policy locked down (not wildcard *)
  • HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options)

Data Security

  • Encryption in transit (TLS 1.2+ everywhere, TLS 1.3 preferred)
  • Encryption at rest (AES-256 for DBs, S3 SSE)
  • PII data identified, minimized, and encrypted at field level where needed
  • Database backups encrypted
  • No sensitive data in logs (PII, passwords, tokens, card numbers)

Secrets Management

  • No secrets in code or environment variables in plain text
  • Secrets manager in use (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager)
  • Secrets rotation automated
  • IAM roles for service-to-service auth (not static credentials)

Supply Chain & Dependencies

  • Dependency scanning (Snyk, Dependabot, npm audit)
  • Container image scanning (Trivy, ECR scanning)
  • Pin dependency versions in production
  • SBOM (Software Bill of Materials) generated for compliance

Incident Response

  • Audit logs for all admin actions and data access
  • Alerting on anomalous access patterns
  • Incident response runbook documented
  • Data breach notification process defined (GDPR 72-hour rule)
  • Regular penetration testing scheduled

Compliance (as applicable)

  • GDPR: data residency, right to deletion, consent tracking
  • PCI-DSS: if handling card data - never store raw PANs
  • HIPAA: if health data - encryption, audit logs, BAA with vendors
  • SOC 2 Type II: access control, availability, confidentiality evidence

Limitations

  • This is a reference document and may not cover all edge cases. Always verify architectures before production.

Discussion

Questions & comments · 0

Sign In Sign in to leave a comment.