csrf-protection
Implements CSRF protection using synchronizer tokens, double-submit cookies, and SameSite attributes. Use when securing web forms, protecting state-changing endpoints, or implementing defense-in-depth authentication.
Install with Tessl CLI
npx tessl i github:secondsky/claude-skills --skill csrf-protectionOverall
score
87%
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates specific CSRF protection techniques and provides explicit usage triggers. The description uses proper third-person voice and covers both the 'what' and 'when' effectively. The main weakness is moderate trigger term coverage - it could benefit from including common variations like 'cross-site request forgery' or 'XSRF'.
Suggestions
Add common trigger term variations such as 'cross-site request forgery', 'XSRF', or 'anti-forgery tokens' to improve discoverability when users use different terminology.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'synchronizer tokens, double-submit cookies, and SameSite attributes' - these are distinct, technical implementation approaches that clearly describe what the skill does. | 3 / 3 |
Completeness | Clearly answers both what ('Implements CSRF protection using synchronizer tokens, double-submit cookies, and SameSite attributes') and when ('Use when securing web forms, protecting state-changing endpoints, or implementing defense-in-depth authentication'). | 3 / 3 |
Trigger Term Quality | Includes relevant terms like 'CSRF protection', 'web forms', 'state-changing endpoints', and 'authentication', but misses common user variations like 'cross-site request forgery', 'form security', 'token validation', or 'XSRF'. | 2 / 3 |
Distinctiveness Conflict Risk | CSRF protection is a specific security niche with distinct triggers; unlikely to conflict with general authentication, XSS, or other security skills due to explicit mention of CSRF-specific techniques. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong skill with excellent conciseness and actionability. The code examples are production-ready with proper security practices (timing-safe comparison, secure cookie settings). The main weakness is the lack of an explicit implementation workflow with validation steps to verify the protection is working correctly.
Suggestions
Add a brief implementation workflow section with numbered steps and a validation checkpoint (e.g., 'Test by making a cross-origin POST request - it should fail with 403')
Consider adding a quick verification snippet showing how to test that CSRF protection is working correctly
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient, presenting only essential information without explaining what CSRF is or how browsers work. Every section delivers actionable content without padding. | 3 / 3 |
Actionability | Provides fully executable code examples for Express middleware, session configuration, and HTML form integration. The code is copy-paste ready with proper crypto usage and timing-safe comparison. | 3 / 3 |
Workflow Clarity | While the individual components are clear, there's no explicit workflow for implementing CSRF protection end-to-end. Missing validation checkpoints like 'test your protection by attempting a cross-origin request' or verification steps. | 2 / 3 |
Progressive Disclosure | Well-structured with a clear overview table, focused core examples, and appropriate delegation to references/python-react.md for additional implementations. One-level-deep references are clearly signaled. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 13 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 13 / 16 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.