Prompt Engineering for Secure Code: A Developer's Guide

// Basic persona
"You are a senior security engineer..."

// Comprehensive persona
"You are a senior full-stack engineer with expertise in application
security. You follow OWASP Top 10 guidelines and never generate code
that contains known vulnerability patterns."

"I'm building a user authentication system for a Next.js 15 application.
The backend uses PostgreSQL with Prisma ORM. This is a healthcare
application that must be HIPAA compliant. Users include both patients
and medical staff with different permission levels."

"Create a password reset flow that:
- Generates a cryptographically secure reset token
- Stores the token with a 1-hour expiration
- Rate limits reset requests to 3 per hour per email
- Logs all reset attempts for audit purposes
- Never reveals whether an email exists in the system"

"Output requirements:
- TypeScript with full type safety (no 'any' types)
- Use bcrypt for password hashing (cost factor 12)
- Include comprehensive error handling that doesn't leak system details
- Add JSDoc comments explaining security decisions"

Write a function to get users by their email

Write a secure function to retrieve users by email address.

Requirements:
- Use parameterized queries to prevent SQL injection
- Validate email format before querying
- Return only non-sensitive user fields (no passwords, tokens)
- Include appropriate error handling
- Follow OWASP secure coding guidelines

Tech stack: Node.js with pg library for PostgreSQL

Write a function to authenticate with the GitHub API using this key: ghp_xxx

Write a Node.js function that authenticates against the GitHub API.

Security requirements:
- Use an environment variable called GITHUB_TOKEN
- Never log or expose the token in error messages
- Implement request timeout (30 seconds)
- Handle rate limiting gracefully
- Follow best practices for secure API key management

Write a file upload function for my server

Write a secure Python Flask route for file uploads.

Security requirements:
- Validate file types (allow only PNG, JPG, PDF)
- Limit file size to 5MB
- Prevent path traversal attacks
- Generate random filenames to prevent overwrites
- Store files outside the web root
- Scan filenames for malicious patterns
- Follow OWASP file upload best practices

Create a search function for products

Create a secure product search function for a React application.

Security requirements:
- Sanitize all user input before display (prevent XSS)
- Use parameterized queries for database search
- Implement search result pagination (max 50 per page)
- Add rate limiting metadata for the frontend
- Escape special characters in search terms
- Never reflect raw user input in error messages

# Security Guidelines

## Code Generation Rules
- Always use parameterized queries for database operations
- Never hardcode secrets, API keys, or credentials
- Follow OWASP Top 10 guidelines for all code
- Use cryptographically secure random number generation
- Implement proper input validation on all user inputs

## When Generating Code
- Include comments explaining security-relevant decisions
- If a request is ambiguous from a security perspective, ask for clarification
- Prefer established security libraries over custom implementations
- Flag any potential security concerns in your response

## Dependency Guidelines
- Prefer dependencies with active maintenance
- Check for known vulnerabilities before suggesting packages
- Never suggest deprecated or abandoned libraries

# Copilot Security Instructions

When generating code:
1. Use parameterized queries for all database operations
2. Validate and sanitize all user inputs
3. Never include hardcoded credentials or secrets
4. Follow OWASP secure coding practices
5. Use HTTPS for all external API calls
6. Implement proper error handling that doesn't leak system info

For authentication:
- Use bcrypt for password hashing (minimum cost factor 10)
- Implement rate limiting on auth endpoints
- Use secure session management

For file operations:
- Validate file paths to prevent traversal attacks
- Limit allowed file types and sizes
- Store uploads outside web root

Security-first code generation rules:

ALWAYS:
- Use parameterized queries, never string concatenation for SQL
- Validate inputs at system boundaries
- Use HTTPS for external requests
- Hash passwords with bcrypt (cost >= 12)
- Generate secure random tokens with crypto.randomBytes
- Sanitize data before HTML rendering

NEVER:
- Hardcode API keys, passwords, or secrets
- Use eval() or similar dynamic code execution
- Disable SSL certificate verification
- Log sensitive data (passwords, tokens, PII)
- Use MD5 or SHA1 for password hashing
- Trust client-side validation alone

Review the code you just generated for security vulnerabilities.

Check specifically for:
1. SQL injection (CWE-89)
2. Cross-site scripting (CWE-79)
3. Hardcoded credentials (CWE-798)
4. Path traversal (CWE-22)
5. Insecure cryptography (CWE-327)
6. Missing authentication (CWE-306)
7. OWASP Top 10 2025 violations

For each finding, explain:
- The vulnerability type and CWE ID
- Why it's dangerous
- How to fix it

If no issues found, confirm which security patterns are correctly implemented.

When you generate code, include comments explaining the security-relevant
decisions you made (e.g., "Using parameterized query to prevent SQL
injection", "Bcrypt with cost 12 for NIST-compliant password hashing").

If my request is ambiguous from a security perspective, ask clarifying
questions before generating the code.

Implement user session management following OWASP ASVS Level 2
requirements and PCI DSS session timeout guidelines.

/prompts
  /auth
    login.md
    password-reset.md
    session-management.md
  /database
    query-templates.md
    migration-patterns.md
  /api
    endpoint-security.md
    rate-limiting.md
  /files
    upload-handlers.md
    download-security.md

# Post-AI code security checklist
npm audit
npx eslint --plugin security src/
npx semgrep --config=p/security-audit src/