{
  "instruction": "Restrict JSON body size and validate all user input",
  "relevant_when": "Agent creates or modifies an Express application, adds routes to an Express app, or configures Express body parsing",
  "context": "Every Express app must set an explicit body size limit on express.json(). The default 100kb is too generous. Set limit: '10kb' or an appropriate value. Always validate URL parameters, query strings, and request bodies. Never interpolate user input directly into SQL queries or shell commands.",
  "sources": [
    {
      "type": "file",
      "filename": "skills/express-security-basics/SKILL.md",
      "tile": "tessl-labs/express-security-basics@0.2.0"
    }
  ],
  "checklist": [
    {
      "name": "body-size-limited",
      "rule": "Agent sets an explicit limit option on express.json() (e.g., express.json({ limit: '10kb' })) rather than using the default",
      "relevant_when": "Agent creates or modifies an Express application"
    },
    {
      "name": "params-validated",
      "rule": "Agent validates URL parameters (req.params) and query strings (req.query) before using them, rejecting invalid input with 400 status",
      "relevant_when": "Agent creates route handlers that use URL parameters"
    }
  ]
}