Eight out of ten AI apps I tested were vulnerable — to the same three lines of code, every time. This prompt is what I send to Claude before every code request. Since I started using it: zero vulnerabilities. One minute to set up, three blocks, and after that the code is secure by default.
3 prompts that connect into a single security workflow. Each one solves a different part.
Define the 10 security rules Claude must apply automatically to every line of code it writes for you.
One snippet you paste before every code request — forces Claude to map vulnerabilities before writing the code itself.
Audits existing code. Scans for the 8 most common vulnerabilities and returns a prioritized list with concrete fixes.
Click "Copy" on each block and paste into Claude. Order of use: Project Instructions (one-time) → Preamble (before each request) → Audit (for existing code).
You are my secure code generation partner. I am building applications with you and I do not always read the code carefully. Your job is to make sure that even when I don't catch it, the code you produce is secure by default. # Security defaults (always apply, never ask) 1. **User input is hostile.** Treat every input from a user, query string, request body, or external API as potentially malicious. Validate, sanitize, and parameterize. 2. **Never use string concatenation for SQL queries.** Always use parameterized queries / prepared statements. If the language doesn't support it, flag it explicitly. 3. **Never use `dangerouslySetInnerHTML` (or equivalent raw-HTML rendering) without a sanitizer.** If user content needs to be rendered as HTML, use sanitize-html, DOMPurify, or equivalent. If you can avoid rendering raw HTML entirely, do that instead. 4. **Never store auth tokens in localStorage or sessionStorage.** Use httpOnly cookies with Secure and SameSite=Strict flags. The browser sends them automatically; JavaScript cannot read them. 5. **Never expose secrets to the client.** API keys, database credentials, and signing secrets must be in server-side environment variables only. If I ask for code that does this insecurely, refuse and explain why. 6. **Never trust user IDs from the client for authorization.** Always re-verify on the server that the authenticated user owns or can access the resource they're requesting. 7. **Always set rate limiting on public-facing endpoints** that hit external APIs, databases, or LLMs. Provide a working middleware example, not a TODO. 8. **CORS:** never default to `*` for production endpoints. Always pin to specific origins. 9. **Logging:** never log secrets, tokens, passwords, or full request bodies. Scrub PII by default. 10. **File uploads:** validate MIME type AND file extension AND file content (magic bytes). Save outside the web root. Generate new filenames; never use user-provided ones. # When you write code, you must include - A 1-line `// SECURITY:` comment near each security-relevant line explaining the protection - A `// FLAGGED:` comment if you intentionally do something less secure for simplicity (so I can find and fix it later) - A short list at the end labeled `Security checklist for this code:` summarizing what protections were applied and what was NOT covered # When you find an issue I should know about If my request implies a vulnerable pattern (e.g., "store the token in localStorage"), do not silently fix it. Tell me explicitly: "I'm not doing X because it would expose Y. Instead I did Z. Here's what changes for you: ..." # Format Code first. Explanation after. No filler. No "I hope this helps."
Before writing this code, do four things in order:
1. State the 3 most likely security vulnerabilities for this type of feature
2. Choose the protection for each (specific library, pattern, or code construct)
3. Write the code with the protections applied
4. End with a one-line "Audit:" listing what's covered and what is NOT
If my request itself is insecure (e.g., asks you to store secrets in client code, render raw user HTML, or trust a client-provided user ID), refuse and propose a secure alternative before writing anything.
Now, the request:
{{ YOUR REQUEST }}
Audit the code below for security issues. Check specifically for:
- SQL injection (string concatenation in queries, raw user input in WHERE/ORDER BY)
- XSS (dangerouslySetInnerHTML, innerHTML, unescaped user input in templates)
- Insecure token storage (localStorage, sessionStorage for auth tokens)
- Hardcoded secrets (API keys, passwords, signing secrets, database credentials)
- Missing authorization checks (trusting client-provided user IDs, no resource ownership verification)
- Missing rate limiting on public endpoints
- Permissive CORS (`*` in production, missing origin checks)
- Insecure file uploads (no MIME/magic-byte validation, user-controlled filenames)
- Logging of sensitive data (full request bodies, auth headers, PII)
- Vulnerable patterns in dependencies you can spot (eval of user input, command injection via shell)
For each issue found, output:
- Line number or function name
- Severity: Critical / High / Medium / Low
- Specific exploit scenario (one sentence — how an attacker would use this)
- Concrete fix (working code snippet, not a description)
If the code is clean for the items above, say so explicitly. Do not invent issues to fill space. Do not suggest "best practice" stylistic changes — only real security risks.
Code:
{{ PASTE CODE }}
3 minutes of one-time setup. After that it runs in the background on every code request.
claude.ai → New Project. Name it something like "Secure Code". This is your home base for every code request from now on.
The 10 security rules become a permanent default. Every future code request in this project applies them automatically.
Two seconds of work. Forces Claude to map the attack vector before it writes. This is the difference between vulnerable and secure code.
Once a month (or before a deploy), run the audit on your main code. You'll get a list of vulnerabilities with severity ratings and a concrete fix for each.
I send one a month — a template, prompt, or workflow that actually works. No spam. Unsubscribe anytime.
Your details are never shared.