SKILL-044 Security, testing, and operations Locked skill

Input validation and sanitization

Validation is an allowlist on the server: name the fields and types you accept, reject everything else, and never trust the client.

01

What this skill helps you build

Validate every input on the server, accept only the fields you expect, parameterize your queries, and escape untrusted HTML on the way out.

The production takeaway

Validation is an allowlist on the server: name the fields and types you accept, reject everything else, and never trust the client.

02

Inside this skill

The full skill expands these implementation areas with decisions, edge cases, prompts, tests, and framework-specific code.

Security, testing, and operations
What this helps you build

A consistent input boundary for your app: one place where every piece of untrusted data — form fields, JSON bodies, query params, headers, webhook payloads — is checked, coerced to

🔒
Security, testing, and operations
When to use this

Use this everywhere data crosses a trust boundary into your system — which, in a SaaS app, is almost every request. Reach for it specifically when you have: Forms and JSON APIs tha

🔒
Security, testing, and operations
The core idea

Treat all input as hostile until proven otherwise, and enforce four rules at the boundary: 1. Validate on the server. Client side validation is a UX nicety, not a control — anyone

🔒
03

Unlock the full implementation

Paid access includes the complete skill body, implementation prompt, common mistakes, production checklist, and code examples where this skill includes them.