AI SummaryA security-focused prompt booster for .NET/ASP.NET Core development that enforces OWASP best practices and CWE mitigation in AI-generated code across Claude, Cursor, and Copilot. Developers building secure .NET applications benefit from automated security guardrails embedded in their coding workflow.
Install
Copy this and paste it into Claude Code, Cursor, or any AI assistant:
I want to add the "secure-rules-files — Windsurf Rules" prompt rules to my project. Repository: https://github.com/wiz-sec-public/secure-rules-files Please read the repo to find the rules/prompt file, then: 1. Download it to the correct location (.cursorrules, .windsurfrules, .github/prompts/, or project root — based on the file type) 2. If there's an existing rules file, merge the new rules in rather than overwriting 3. Confirm what was added
Description
Baseline rules files to improve the security of AI-generated code (Claude, Cursor, Copilot + more)
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary: XSS occurs when an application includes untrusted data in a web page without proper neutralization, allowing malicious scripts to execute in the user's browser. Mitigation Rule: Always HTML-encode all untrusted input before rendering it in HTML using System.Text.Encodings.Web.HtmlEncoder.Default or Razor's automatic encoding. Ensure all data passed into JavaScript contexts is JSON-encoded using JsonSerializer.Serialize or URL-encoded using Uri.EscapeDataString as appropriate.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary: SQL Injection occurs when untrusted input is improperly concatenated into a SQL query, allowing attackers to manipulate the query and access or modify unauthorized data. Mitigation Rule: Use parameterized queries (e.g., SqlCommand with SqlParameter, Entity Framework Core LINQ queries, or Dapper with anonymous objects) for all database interactions. Never concatenate user-supplied input directly into SQL statements.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary: Path Traversal allows an attacker to access files and directories outside of the intended directory by manipulating file paths. Mitigation Rule: Validate and sanitize all user-supplied file paths and names. Use System.IO.Path.GetFullPath and System.IO.Path.Combine to create safe, canonical paths, and explicitly verify that the resulting path is strictly within an allowed base directory by checking for prefixes or direct equality.
CWE-502: Deserialization of Untrusted Data
Summary: Deserializing untrusted or malicious data can lead to remote code execution, denial-of-service, or data tampering. Mitigation Rule: Avoid deserializing untrusted data, especially complex object graphs, from unknown or untrusted sources. If deserialization is unavoidable, use secure serializers like System.Text.Json with appropriate JsonSerializerOptions (e.g., DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingDefault and AllowTrailingCommas = false) and consider JsonStringEnumConverter for enums. Never use insecure formatters like BinaryFormatter or NetDataContractSerializer with untrusted inputs.
Discussion
Health Signals
My Fox Den
Community Rating
Sign in to rate this booster
Works With
Any AI assistant that accepts custom rules or system prompts