simon/skills

Auto-generated tile from GitHub (10 skills)

1.16x

Quality

94%

Does it follow best practices?

Impact

92%

1.16x

Average score across 44 eval scenarios

Securityby

Advisory

Suggest reviewing before use

Security Hardening for a Healthcare Web API

Name: simon/skills
Rating: 92.25 (1 reviews)
Author: simon

Problem/Feature Description

A digital health company is preparing to launch a patient-facing web portal backed by a Fastify REST API. The portal frontend is a single-page application hosted at https://app.healthportal.example.com. There is also a separate admin dashboard at https://admin.healthportal.example.com. Before the service can go live, the security team has issued a list of requirements.

Cross-origin access must be tightly controlled. The API should only accept browser requests from the two known frontend origins, not from arbitrary third-party sites. Authenticated requests from the browser will include cookies, so the cross-origin policy must support credentialed requests. Pre-flight responses should be cached for 24 hours by the browser to reduce overhead.

The HTTP responses must include a standard set of security headers to defend against common web vulnerabilities. Specifically: strict transport security must be enforced for at least one year (including subdomains), clickjacking must be prevented, the browser must be instructed to use a restrictive content security policy that only permits resources from the application's own origin, and the browser must not be allowed to sniff content types.

In addition, the security team wants the implementation documented so that future developers understand the protection in place and why.

The API handles sensitive patient data so the security configuration must be correct — partial implementations or "almost right" configurations are not acceptable.

Output Specification

Produce the following files:

package.json — with type: "module" and the necessary dependencies
src/app.ts — the Fastify application factory. It must register the cross-origin and security-header plugins with full configuration, and expose at least two representative routes: GET /health (public, no auth) and GET /api/patients (requires the Authorization header). Export buildApp() returning the configured instance
architecture-notes.md — describe which plugins are used for cross-origin control and security headers, list the allowed origins, summarise the HSTS policy, and explain what CSP directives are applied and why

evals

scenario-1

scenario-2

scenario-3

scenario-4

scenario-5

scenario-6

scenario-7

criteria.json

task.md

scenario-8

scenario-9

scenario-10

scenario-11

scenario-12

scenario-13

scenario-14

scenario-15

scenario-16

scenario-17

scenario-18

scenario-19

scenario-20

scenario-21

scenario-22

scenario-23

scenario-24

scenario-25

scenario-26

scenario-27

scenario-28

scenario-29

scenario-30

scenario-31

scenario-32

scenario-33

scenario-34

scenario-35

scenario-36

scenario-37

scenario-38

scenario-39

scenario-40

scenario-41

scenario-42

scenario-43

scenario-44

skills

README.md

tile.json

simon/skills

task.md.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-7/

Security Hardening for a Healthcare Web API

Problem/Feature Description

Output Specification

task.mdevals/scenario-7/