csrf-protection
Implements CSRF protection using synchronizer tokens, double-submit cookies, and SameSite attributes. Use when securing web forms, protecting state-changing endpoints, or implementing defense-in-depth authentication.
95
93%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly identifies the specific CSRF protection techniques it implements, provides explicit 'Use when' trigger guidance, and uses domain-specific terminology that makes it highly distinguishable. It follows the third-person voice convention and is concise without being vague.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'synchronizer tokens', 'double-submit cookies', and 'SameSite attributes'. These are well-defined, concrete CSRF protection techniques rather than vague language. | 3 / 3 |
Completeness | Clearly answers both 'what' (implements CSRF protection using synchronizer tokens, double-submit cookies, and SameSite attributes) and 'when' (Use when securing web forms, protecting state-changing endpoints, or implementing defense-in-depth authentication). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'CSRF protection', 'web forms', 'state-changing endpoints', 'authentication', 'synchronizer tokens', 'double-submit cookies', 'SameSite'. These cover the main terms a developer would use when seeking CSRF help. | 3 / 3 |
Distinctiveness Conflict Risk | CSRF protection is a well-defined security niche with distinct triggers like 'synchronizer tokens', 'double-submit cookies', and 'SameSite'. This is unlikely to conflict with other security skills (e.g., XSS, SQL injection) due to the specific terminology. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong skill that provides concrete, executable CSRF protection patterns with good token efficiency and clear progressive disclosure. The main weakness is the lack of a sequenced implementation workflow with verification steps—given that this is a security feature, a step-by-step setup guide with a way to verify protection is active would strengthen it. The best practices and common mistakes sections add genuine value without being verbose.
Suggestions
Add a brief numbered workflow (e.g., 1. Add middleware, 2. Add validation, 3. Update forms, 4. **Verify**: test with curl without token to confirm 403) to guide implementation order and include a validation checkpoint.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. The comparison table is a great use of space, code examples are minimal but complete, and there's no unnecessary explanation of what CSRF is or how browsers work—it assumes Claude already knows. | 3 / 3 |
Actionability | Provides fully executable Express.js middleware code with token generation, validation using timing-safe comparison, session cookie configuration, and HTML form integration. All code is copy-paste ready with concrete patterns. | 3 / 3 |
Workflow Clarity | The skill presents individual components (middleware, validation, form integration) but doesn't clearly sequence them into a step-by-step implementation workflow. There's no validation checkpoint to verify the CSRF protection is working correctly after setup, which matters for a security-critical feature. | 2 / 3 |
Progressive Disclosure | The main file provides a concise overview with executable examples for the primary use case (Express), and clearly signals a one-level-deep reference to python-react.md for additional implementations. Content is well-organized with clear section headers. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- secondsky/claude-skills
- Commit
88da5ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.