Copy and paste these prompts into Claude Code, Codex, Cursor, or any other coding agent. Run them one at a time, and test your app after each change. 1.Block operating system command injection Search the codebase for any place where the app runs operating-system commands, shell scripts, or external processes, and check whether user-controlled input can influence them. Eliminate command injection by avoiding the shell entirely where possible, passing arguments as a structured array rather than a concatenated string, and strictly validating any input that must be included. If a piece of functionality doesn't truly need to shell out, refactor it, and report every command-execution site you found. 2.Replace weak cryptographic algorithms Scan the codebase for weak or outdated cryptography and replace it. Find uses of broken hash functions like MD5 or SHA1, weak ciphers like DES, insecure modes like ECB, hardcoded encryption keys or initialization vectors, and homegrown crypto, and replace each with a current, well-vetted algorithm and a standard library implementation. Confirm that hashing for passwords specifically uses a slow algorithm, and report every weak primitive you found and what you replaced it with. 3.Verify signatures on incoming webhooks Audit any webhook endpoints my app exposes to receive events from third-party services. For each, verify the authenticity of incoming requests using the provider's signature mechanism — validating the signature against the raw request body with the shared secret and a constant-time comparison — and reject anything that fails. Add protection against replayed events using timestamps or event identifiers, and tell me which webhooks now verify their senders. 4.Cap request body and payload size Add limits on the size of incoming requests across my app. Configure maximum request body sizes at the server or framework level, cap the size of uploaded files and individual fields, and limit the number of items in arrays and the depth of nested JSON so a malicious payload can't exhaust memory or CPU. Return a clear error when a limit is exceeded, and tell me the limits you set and where they're enforced.