DiscordSign up
SKILLS.SH

best-practices

Apply modern web development best practices for security, compatibility, and code quality. Use when asked to "apply best practices", "security audit",…

INSTALLATION
npx skills add https://github.com/davila7/claude-code-templates --skill best-practices
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$2b

HSTS Header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Content Security Policy (CSP)

<!-- Basic CSP via meta tag -->

<meta http-equiv="Content-Security-Policy"

      content="default-src 'self';

               script-src 'self' https://trusted-cdn.com;

               style-src 'self' 'unsafe-inline';

               img-src 'self' data: https:;

               connect-src 'self' https://api.example.com;">

<!-- Better: HTTP header -->

CSP Header (recommended):

Content-Security-Policy:

  default-src 'self';

  script-src 'self' 'nonce-abc123' https://trusted.com;

  style-src 'self' 'nonce-abc123';

  img-src 'self' data: https:;

  connect-src 'self' https://api.example.com;

  frame-ancestors 'self';

  base-uri 'self';

  form-action 'self';

Using nonces for inline scripts:

<script nonce="abc123">

  // This inline script is allowed

</script>

Security headers

# Prevent clickjacking

X-Frame-Options: DENY

# Prevent MIME type sniffing

X-Content-Type-Options: nosniff

# Enable XSS filter (legacy browsers)

X-XSS-Protection: 1; mode=block

# Control referrer information

Referrer-Policy: strict-origin-when-cross-origin

# Permissions policy (formerly Feature-Policy)

Permissions-Policy: geolocation=(), microphone=(), camera=()

No vulnerable libraries

# Check for vulnerabilities

npm audit

yarn audit

# Auto-fix when possible

npm audit fix

# Check specific package

npm ls lodash

Keep dependencies updated:

// package.json

{

  "scripts": {

    "audit": "npm audit --audit-level=moderate",

    "update": "npm update &#x26;&#x26; npm audit fix"

  }

}

Known vulnerable patterns to avoid:

// ❌ Prototype pollution vulnerable patterns

Object.assign(target, userInput);

_.merge(target, userInput);

// ✅ Safer alternatives

const safeData = JSON.parse(JSON.stringify(userInput));

Input sanitization

// ❌ XSS vulnerable

element.innerHTML = userInput;

document.write(userInput);

// ✅ Safe text content

element.textContent = userInput;

// ✅ If HTML needed, sanitize

import DOMPurify from 'dompurify';

element.innerHTML = DOMPurify.sanitize(userInput);

Secure cookies

// ❌ Insecure cookie

document.cookie = "session=abc123";

// ✅ Secure cookie (server-side)

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict; Path=/

Browser compatibility

Doctype declaration

<!-- ❌ Missing or invalid doctype -->

<HTML>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<!-- ✅ HTML5 doctype -->

<!DOCTYPE html>

<html lang="en">

Character encoding

<!-- ❌ Missing or late charset -->

<html>

<head>

  <title>Page</title>

  <meta charset="UTF-8">

</head>

<!-- ✅ Charset as first element in head -->

<html>

<head>

  <meta charset="UTF-8">

  <title>Page</title>

</head>

Viewport meta tag

<!-- ❌ Missing viewport -->

<head>

  <title>Page</title>

</head>

<!-- ✅ Responsive viewport -->

<head>

  <meta charset="UTF-8">

  <meta name="viewport" content="width=device-width, initial-scale=1">

  <title>Page</title>

</head>

Feature detection

// ❌ Browser detection (brittle)

if (navigator.userAgent.includes('Chrome')) {

  // Chrome-specific code

}

// ✅ Feature detection

if ('IntersectionObserver' in window) {

  // Use IntersectionObserver

} else {

  // Fallback

}

// ✅ Using @supports in CSS

@supports (display: grid) {

  .container {

    display: grid;

  }

}

@supports not (display: grid) {

  .container {

    display: flex;

  }

}

Polyfills (when needed)

<!-- Load polyfills conditionally -->

<script>

  if (!('fetch' in window)) {

    document.write('<script src="/polyfills/fetch.js"><\/script>');

  }

</script>

<!-- Or use polyfill.io -->

<script src="https://polyfill.io/v3/polyfill.min.js?features=fetch,IntersectionObserver"></script>

Deprecated APIs

Avoid these

// ❌ document.write (blocks parsing)

document.write('<script src="..."></script>');

// ✅ Dynamic script loading

const script = document.createElement('script');

script.src = '...';

document.head.appendChild(script);

// ❌ Synchronous XHR (blocks main thread)

const xhr = new XMLHttpRequest();

xhr.open('GET', url, false); // false = synchronous

// ✅ Async fetch

const response = await fetch(url);

// ❌ Application Cache (deprecated)

<html manifest="cache.manifest">

// ✅ Service Workers

if ('serviceWorker' in navigator) {

  navigator.serviceWorker.register('/sw.js');

}

Event listener passive

// ❌ Non-passive touch/wheel (may block scrolling)

element.addEventListener('touchstart', handler);

element.addEventListener('wheel', handler);

// ✅ Passive listeners (allows smooth scrolling)

element.addEventListener('touchstart', handler, { passive: true });

element.addEventListener('wheel', handler, { passive: true });

// ✅ If you need preventDefault, be explicit

element.addEventListener('touchstart', handler, { passive: false });

Console &#x26; errors

No console errors

// ❌ Errors in production

console.log('Debug info'); // Remove in production

throw new Error('Unhandled'); // Catch all errors

// ✅ Proper error handling

try {

  riskyOperation();

} catch (error) {

  // Log to error tracking service

  errorTracker.captureException(error);

  // Show user-friendly message

  showErrorMessage('Something went wrong. Please try again.');

}

Error boundaries (React)

class ErrorBoundary extends React.Component {

  state = { hasError: false };

  static getDerivedStateFromError(error) {

    return { hasError: true };

  }

  componentDidCatch(error, info) {

    errorTracker.captureException(error, { extra: info });

  }

  render() {

    if (this.state.hasError) {

      return <FallbackUI />;

    }

    return this.props.children;

  }

}

// Usage

<ErrorBoundary>

  <App />

</ErrorBoundary>

Global error handler

// Catch unhandled errors

window.addEventListener('error', (event) => {

  errorTracker.captureException(event.error);

});

// Catch unhandled promise rejections

window.addEventListener('unhandledrejection', (event) => {

  errorTracker.captureException(event.reason);

});

Source maps

Production configuration

// ❌ Source maps exposed in production

// webpack.config.js

module.exports = {

  devtool: 'source-map', // Exposes source code

};

// ✅ Hidden source maps (uploaded to error tracker)

module.exports = {

  devtool: 'hidden-source-map',

};

// ✅ Or no source maps in production

module.exports = {

  devtool: process.env.NODE_ENV === 'production' ? false : 'source-map',

};

Performance best practices

Avoid blocking patterns

// ❌ Blocking script

<script src="heavy-library.js"></script>

// ✅ Deferred script

<script defer src="heavy-library.js"></script>

// ❌ Blocking CSS import

@import url('other-styles.css');

// ✅ Link tags (parallel loading)

<link rel="stylesheet" href="styles.css">

<link rel="stylesheet" href="other-styles.css">

Efficient event handlers

// ❌ Handler on every element

items.forEach(item => {

  item.addEventListener('click', handleClick);

});

// ✅ Event delegation

container.addEventListener('click', (e) => {

  if (e.target.matches('.item')) {

    handleClick(e);

  }

});

Memory management

// ❌ Memory leak (never removed)

const handler = () => { /* ... */ };

window.addEventListener('resize', handler);

// ✅ Cleanup when done

const handler = () => { /* ... */ };

window.addEventListener('resize', handler);

// Later, when component unmounts:

window.removeEventListener('resize', handler);

// ✅ Using AbortController

const controller = new AbortController();

window.addEventListener('resize', handler, { signal: controller.signal });

// Cleanup:

controller.abort();

Code quality

Valid HTML

<!-- ❌ Invalid HTML -->

<div id="header">

<div id="header"> <!-- Duplicate ID -->

<ul>

  <div>Item</div> <!-- Invalid child -->

</ul>

<a href="/"><button>Click</button></a> <!-- Invalid nesting -->

<!-- ✅ Valid HTML -->

<header id="site-header">

</header>

<ul>

  <li>Item</li>

</ul>

<a href="/" class="button">Click</a>

Semantic HTML

<!-- ❌ Non-semantic -->

<div class="header">

  <div class="nav">

    <div class="nav-item">Home</div>

  </div>

</div>

<div class="main">

  <div class="article">

    <div class="title">Headline</div>

  </div>

</div>

<!-- ✅ Semantic HTML5 -->

<header>

  <nav>

    <a href="/">Home</a>

  </nav>

</header>

<main>

  <article>

    <h1>Headline</h1>

  </article>

</main>

Image aspect ratios

<!-- ❌ Distorted images -->

<img src="photo.jpg" width="300" height="100">

<!-- If actual ratio is 4:3, this squishes the image -->

<!-- ✅ Preserve aspect ratio -->

<img src="photo.jpg" width="300" height="225">

<!-- Actual 4:3 dimensions -->

<!-- ✅ CSS object-fit for flexibility -->

<img src="photo.jpg" style="width: 300px; height: 200px; object-fit: cover;">

Permissions &#x26; privacy

Request permissions properly

// ❌ Request on page load (bad UX, often denied)

navigator.geolocation.getCurrentPosition(success, error);

// ✅ Request in context, after user action

findNearbyButton.addEventListener('click', async () => {

  // Explain why you need it

  if (await showPermissionExplanation()) {

    navigator.geolocation.getCurrentPosition(success, error);

  }

});

Permissions policy

<!-- Restrict powerful features -->

<meta http-equiv="Permissions-Policy"

      content="geolocation=(), camera=(), microphone=()">

<!-- Or allow for specific origins -->

<meta http-equiv="Permissions-Policy"

      content="geolocation=(self 'https://maps.example.com')">

Audit checklist

Security (critical)

  • HTTPS enabled, no mixed content
  • No vulnerable dependencies (npm audit)
  • CSP headers configured
  • Security headers present
  • No exposed source maps

Compatibility

  • Valid HTML5 doctype
  • Charset declared first in head
  • Viewport meta tag present
  • No deprecated APIs used
  • Passive event listeners for scroll/touch

Code quality

  • No console errors
  • Valid HTML (no duplicate IDs)
  • Semantic HTML elements used
  • Proper error handling
  • Memory cleanup in components

UX

  • No intrusive interstitials
  • Permission requests in context
  • Clear error messages
  • Appropriate image aspect ratios

Tools

Tool

Purpose

npm audit

Dependency vulnerabilities

SecurityHeaders.com

Header analysis

W3C Validator

HTML validation

Lighthouse

Best practices audit

Observatory

Security scan

References

BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

frontend-design
3/3

Distinctive, production-grade frontend interfaces that reject generic AI aesthetics. Guides design thinking before coding: establish bold aesthetic direction (brutalist, maximalist, retro-futuristic, luxury, playful, etc.) with clear purpose, tone, and differentiation Emphasizes typography, color theming, motion, spatial composition, and textural details as core design pillars; uses CSS variables, animations, and scroll-triggered effects Generates working, functional code (HTML/CSS/JS, React, Vue) that matches implementation complexity to aesthetic vision: elaborate code for maximalist designs, restrained precision for minimalist ones Explicitly avoids generic patterns: overused fonts (Inter, Roboto), clichéd color schemes (purple gradients), predictable layouts, and cookie-cutter component design

Verified authoranthropics
SKILLS.SH
422K139K
2026-05-22
web-design-guidelines
2/3

Audit UI code against Vercel's Web Interface Guidelines for design and accessibility compliance. Fetches the latest guidelines from a remote source before each review, ensuring rules stay current Accepts file paths or patterns as arguments; prompts for files if none provided Outputs findings in a terse file:line format for quick scanning and remediation Covers design, accessibility, and UX best practices as defined in the guidelines repository

Verified authorvercel-labs
SKILLS.SH
318K26.9K
2026-05-22
vercel-composition-patterns
3/3

React composition patterns for scaling components and avoiding boolean prop proliferation. Covers four priority categories: component architecture, state management, implementation patterns, and React 19 APIs, each with specific rules and code examples Includes 10+ named patterns addressing compound components, context providers, state lifting, and explicit variants Designed for refactoring bloated components, building reusable libraries, and reviewing component architecture decisions React 19 specific guidance on removing forwardRef and using use() instead of useContext()

Verified authorvercel-labs
SKILLS.SH
172K26.9K
2026-05-22
ui-ux-pro-max
2/3

Comprehensive design intelligence for web and mobile UI/UX across 10 technology stacks. Includes 50+ design styles, 161 color palettes, 57 font pairings, and 99 UX guidelines with priority-ranked rules for accessibility, touch interaction, performance, and responsive layout Searchable database with design-system generation that recommends patterns, colors, typography, and effects based on product type and keywords; supports light/dark mode and platform-specific guidance (iOS HIG, Material Design, React Native) Covers 10 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind, shadcn/ui, HTML/CSS) with implementation-specific best practices and performance optimization rules Provides 25 chart types, 161 product type patterns, and pre-built templates for websites, landing pages, dashboards, admin panels, e-commerce, SaaS, portfolios, blogs, and mobile apps with component libraries (buttons, modals, forms, tables, cards, charts)

nextlevelbuilder
SKILLS.SH
158K81.3K
2026-05-22

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card