Copy and paste these prompts into Claude Code, Codex, Cursor, or any other coding agent. Run them one at a time, and test your app after each change.
1.Block operating system command injection
Search the codebase for any place where the app runs operating-system commands, shell scripts, or external processes, and check whether user-controlled input can influence them. Eliminate command injection by avoiding the shell entirely where possible, passing arguments as a structured array rather than a concatenated string, and strictly validating any input that must be included. If a piece of functionality doesn't truly need to shell out, refactor it, and report every command-execution site you found.
2.Replace weak cryptographic algorithms
Scan the codebase for weak or outdated cryptography and replace it. Find uses of broken hash functions like MD5 or SHA1, weak ciphers like DES, insecure modes like ECB, hardcoded encryption keys or initialization vectors, and homegrown crypto, and replace each with a current, well-vetted algorithm and a standard library implementation. Confirm that hashing for passwords specifically uses a slow algorithm, and report every weak primitive you found and what you replaced it with.
3.Verify signatures on incoming webhooks
Audit any webhook endpoints my app exposes to receive events from third-party services. For each, verify the authenticity of incoming requests using the provider's signature mechanism — validating the signature against the raw request body with the shared secret and a constant-time comparison — and reject anything that fails. Add protection against replayed events using timestamps or event identifiers, and tell me which webhooks now verify their senders.
4.Cap request body and payload size
Add limits on the size of incoming requests across my app. Configure maximum request body sizes at the server or framework level, cap the size of uploaded files and individual fields, and limit the number of items in arrays and the depth of nested JSON so a malicious payload can't exhaust memory or CPU. Return a clear error when a limit is exceeded, and tell me the limits you set and where they're enforced.
5.Audit unsafe HTML render bypasses
Search the codebase for uses of my framework's raw-HTML rendering escape hatches — such as dangerouslySetInnerHTML, v-html, bypassSecurityTrust, or the equivalent that disables automatic escaping. For each occurrence, determine whether the content can include untrusted input and, if so, either remove the bypass or run the content through a strict sanitizer first. Document every bypass you found, whether it was safe, and how you handled it.