AI 提示詞： 網路安全

Conduct a security audit of my application.

Application type: [web app / mobile app / API / SaaS platform]
Stack: [languages, frameworks, databases, cloud provider]
Authentication: [method used: JWT, sessions, OAuth, etc.]
Sensitive data handled: [PII, payment info, health data, etc.]
Current security measures: [what you already have in place]
Compliance needs: [GDPR, HIPAA, SOC2, PCI-DSS, or none]

Audit and provide:
1. A security checklist organized by category (auth, data, network, infra)
2. Top 5 vulnerabilities to investigate immediately with severity ratings
3. OWASP Top 10 assessment: which risks apply to my stack
4. Data handling review: encryption at rest and in transit
5. Access control review: principle of least privilege analysis
6. A 30-day security improvement roadmap prioritized by risk

Help me design a modern, user-friendly password security system.

Application type: [consumer app / enterprise / internal tool]
User base: [tech-savvy / general public / mixed]
Current auth: [password only / 2FA / SSO / OAuth]
Framework: [what you're building with]
Regulatory requirements: [any compliance needs]
User friction tolerance: [security-first / balanced / convenience-first]

Design:
1. Password policy that follows current NIST guidelines (not outdated rules)
2. Hashing strategy: algorithm, salt, pepper, and iteration recommendations
3. Multi-factor authentication implementation plan
4. Account lockout and rate limiting strategy that stops brute force without annoying users
5. Password reset flow that's secure AND user-friendly
6. A migration plan if upgrading from an insecure existing system

Help me build a threat model for my application.

Application: [describe what it does and how users interact with it]
Architecture: [describe the system components and data flow]
Assets to protect: [most valuable data and functionality]
User types: [different roles and their access levels]
External integrations: [third-party services, APIs, payment processors]
Previous incidents: [any known security issues in the past]

Build a threat model:
1. Asset inventory: what's worth protecting and why
2. Trust boundary identification: where data crosses security boundaries
3. STRIDE analysis: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege
4. Attack surface mapping: entry points an attacker could exploit
5. Risk matrix: likelihood vs. impact for each identified threat
6. Mitigation strategy for the top 5 highest-risk threats

Help me create a security incident response plan.

Organization size: [number of employees and IT staff]
Infrastructure: [cloud / on-premise / hybrid]
Data sensitivity: [types of sensitive data you handle]
Current incident process: [what you do now, or nothing]
Regulatory requirements: [breach notification laws that apply]
Communication channels: [how your team communicates during emergencies]

Build an incident response playbook:
1. Incident classification system: severity levels with examples
2. First responder checklist: the first 30 minutes after detection
3. Containment procedures for common scenarios (ransomware, data breach, DDoS)
4. Communication templates: internal notification, customer notification, regulatory filing
5. Evidence preservation protocol: what to save and how
6. Post-incident review template and lessons-learned process

Help me secure my API against common attack vectors.

API type: [REST / GraphQL / gRPC]
Authentication: [current auth mechanism]
Rate limiting: [current setup or none]
Public endpoints: [which endpoints are publicly accessible]
Sensitive operations: [operations that modify data or access PII]
Framework: [what you're building with]

Provide:
1. Input validation strategy: what to validate and how for each endpoint
2. Authentication and authorization hardening recommendations
3. Rate limiting configuration: different limits for different endpoint types
4. CORS configuration best practices for your architecture
5. API abuse detection: patterns that indicate malicious usage
6. Security headers and response hardening checklist

Help me implement data privacy best practices in my application.

Data collected: [list all personal data you collect]
Storage locations: [where data lives: database, file storage, logs, analytics]
Third-party sharing: [which services receive user data]
User geography: [where your users are located]
Current privacy measures: [what you've already implemented]
Compliance target: [GDPR / CCPA / both / other]

Provide:
1. Data inventory and classification: categorize all data by sensitivity level
2. Consent management implementation plan
3. Data minimization review: what data you're collecting but don't actually need
4. Right-to-deletion implementation guide (technical steps)
5. Privacy policy requirements based on your compliance targets
6. A data retention schedule: how long to keep each type of data and when to delete