Code Security Prompts
Code security prompts are system prompts that configure LLM coding assistants to follow secure coding patterns for a specific framework or language. Each prompt encodes vulnerability mitigations from OWASP ASVS, CWE entries, and the framework's own security documentation.
When a prompt is active, the LLM produces code that includes security controls by default — parameterized queries instead of string concatenation, CSRF tokens on state-changing endpoints, bcrypt for password hashing, and so on. Without the prompt, the same model may omit these controls.
What "Coverage" Means
Each prompt targets a specific framework and covers:
- Input validation — Sanitization, type checking, length limits
- Authentication — Secure password storage, session management, multi-factor support
- Authorization — Access control checks at the route and data layer
- Injection prevention — SQL, NoSQL, command, LDAP, XSS, and template injection
- Cryptography — Correct algorithm selection, key management, secure defaults
- Error handling — No stack traces or internal state in error responses
- Logging — Security-relevant events logged without sensitive data
Coverage depth varies by framework maturity. Node.js, Python, Java, and .NET prompts have the deepest coverage. Newer framework prompts are continuously expanded.
Backend Frameworks
| Framework | Languages / Frameworks | What the Prompt Covers |
|---|---|---|
| Node.js | Express, Fastify, NestJS | Injection prevention, helmet defaults, rate limiting, JWT handling |
| Python | Django, Flask, FastAPI | ORM injection, CSRF, secure session config, secrets management |
| Go | Standard library, Gin, Echo | Memory safety patterns, crypto/rand usage, HTTP security headers |
| Java | Spring Boot, Jakarta EE | Spring Security config, JDBC parameterization, XML external entity prevention |
| PHP | Laravel, Symfony | Blade escaping, Eloquent parameterization, session fixation prevention |
| .NET | ASP.NET Core | Middleware security pipeline, anti-forgery tokens, data protection API |
| Ruby on Rails | Rails 7+ | Strong parameters, CSRF defaults, Content Security Policy |
| Rust | Actix, Axum, Rocket | Memory safety enforcement, type-safe query builders, TLS configuration |
| Scala | Play Framework, Akka HTTP | CSRF filters, content type enforcement, form binding validation |
| Elixir | Phoenix | Plug pipeline security, Ecto parameterization, CORS configuration |
| SQL / RDBMS | PostgreSQL, MySQL, SQL Server | Query parameterization, least-privilege access, audit logging |
| GraphQL | Apollo, Yoga, Strawberry | Query depth limiting, authorization directives, introspection controls |
| gRPC | Cross-language | TLS mutual auth, interceptor-based auth, metadata validation |
| ServiceNow | Platform scripting | GlideRecord access controls, script include security, REST API protection |
Frontend Frameworks
| Framework | What the Prompt Covers |
|---|---|
| React | JSX auto-escaping reinforcement, dangerouslySetInnerHTML avoidance, state management security |
| Vue | Template injection prevention, v-html restrictions, reactive data safety |
| Angular | DomSanitizer usage, CSP configuration, HTTP interceptor security |
| Next.js | SSR/SSG data exposure prevention, API route protection, middleware security |
| Svelte | Component isolation, {@html} restrictions, store safety |
| TypeScript | Type-safe API contracts, strict null checks for security boundaries |
| Flutter | Platform channel security, secure storage, certificate pinning |
| SolidJS | innerHTML restrictions, signal safety, hydration security |
Additional frontend prompts available for: Alpine.js, Astro, Deno Fresh, Ember.js, HTMX, Lit, Preact, Qwik, JavaScript, jQuery.
Platform Security
| Topic | What the Prompt Covers |
|---|---|
| Authorization | RBAC, ABAC, ReBAC patterns; OPA/Rego, OpenFGA, SpiceDB, Casbin, Cedar implementations |
| Secret Management | HashiCorp Vault, AWS Secrets Manager, environment variable handling, rotation patterns |
| Embedded and IoT | Firmware update security, constrained device crypto, JTAG/SWD protection |
| WebAssembly | WASM sandboxing, linear memory safety, host binding security |
| Mobile | iOS Keychain, Android Keystore, certificate pinning, biometric authentication |
| C/C++ | Buffer overflow prevention, use-after-free detection, safe integer arithmetic |
How to Use
- Identify the framework or language your project uses
- Find the corresponding prompt file (available in up to 5 model variants)
- Set it as the system prompt in your IDE, coding agent, or API call
- Test by requesting code with security implications (login endpoint, file upload, database query) — the output should include security controls without being asked
See Deploying Prompts for detailed setup instructions for every major IDE, coding agent, and API.
Limitations
- Prompts reduce but do not eliminate insecure code generation. Always review LLM output.
- Coverage is based on known vulnerability classes. Zero-day vulnerabilities are not covered.
- Security controls in generated code should be validated against your specific deployment environment.
- Prompts do not replace static analysis (SAST), dynamic testing (DAST), or dependency scanning.