Api Security Best Practices
Design and harden REST, GraphQL, or WebSocket APIs with auth, validation, rate limits, and defenses against common injection and abuse patterns.
Install
npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill api-security-best-practicesWhat is this skill?
- Step 1: authentication and authorization—JWT, OAuth 2.0, API keys, RBAC, sessions, MFA
- Step 2: input validation and sanitization with schema validation and injection prevention
- Covers REST, GraphQL, and WebSocket API security patterns
- Explicit triggers for new endpoints, security reviews, audits, and rate limiting
- Community-sourced checklist-style guidance for DDoS and sensitive-data handling
Adoption & trust: 7.4k installs on skills.sh; 40.1k GitHub stars; 3/3 security scanners passed (skills.sh audits).
Recommended Skills
Azure Compliancemicrosoft/azure-skills
Openclaw Secure Linux Cloudxixu-me/skills
Entra Agent Idmicrosoft/azure-skills
Firebase Security Rules Auditorfirebase/agent-skills
Firestore Security Rules Auditorfirebase/agent-skills
Skill Vetteruseai-pro/openclaw-skills-security
Journey fit
Ship → security is the primary shelf because the skill targets pre-release hardening, audits, and attack-surface reduction rather than greenfield UI exploration. Security subphase aligns with authentication, authorization, rate limiting, and audit preparation called out in the When to Use list.
Common Questions / FAQ
Is Api Security Best Practices safe to install?
skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.
SKILL.md
READMESKILL.md - Api Security Best Practices
# API Security Best Practices ## Overview Guide developers in building secure APIs by implementing authentication, authorization, input validation, rate limiting, and protection against common vulnerabilities. This skill covers security patterns for REST, GraphQL, and WebSocket APIs. ## When to Use This Skill - Use when designing new API endpoints - Use when securing existing APIs - Use when implementing authentication and authorization - Use when protecting against API attacks (injection, DDoS, etc.) - Use when conducting API security reviews - Use when preparing for security audits - Use when implementing rate limiting and throttling - Use when handling sensitive data in APIs ## How It Works ### Step 1: Authentication & Authorization I'll help you implement secure authentication: - Choose authentication method (JWT, OAuth 2.0, API keys) - Implement token-based authentication - Set up role-based access control (RBAC) - Secure session management - Implement multi-factor authentication (MFA) ### Step 2: Input Validation & Sanitization Protect against injection attacks: - Validate all input data - Sanitize user inputs - Use parameterized queries - Implement request schema validation - Prevent SQL injection, XSS, and command injection ### Step 3: Rate Limiting & Throttling Prevent abuse and DDoS attacks: - Implement rate limiting per user/IP - Set up API throttling - Configure request quotas - Handle rate limit errors gracefully - Monitor for suspicious activity ### Step 4: Data Protection Secure sensitive data: - Encrypt data in transit (HTTPS/TLS) - Encrypt sensitive data at rest - Implement proper error handling (no data leaks) - Sanitize error messages - Use secure headers ### Step 5: API Security Testing Verify security implementation: - Test authentication and authorization - Perform penetration testing - Check for common vulnerabilities (OWASP API Top 10) - Validate input handling - Test rate limiting ## Examples ### Example 1: Implementing JWT Authentication ```markdown ## Secure JWT Authentication Implementation ### Authentication Flow 1. User logs in with credentials 2. Server validates credentials 3. Server generates JWT token 4. Client stores token securely 5. Client sends token with each request 6. Server validates token ### Implementation #### 1. Generate Secure JWT Tokens \`\`\`javascript // auth.js const jwt = require('jsonwebtoken'); const bcrypt = require('bcrypt'); // Login endpoint app.post('/api/auth/login', async (req, res) => { try { const { email, password } = req.body; // Validate input if (!email || !password) { return res.status(400).json({ error: 'Email and password are required' }); } // Find user const user = await db.user.findUnique({ where: { email } }); if (!user) { // Don't reveal if user exists return res.status(401).json({ error: 'Invalid credentials' }); } // Verify password const validPassword = await bcrypt.compare( password, user.passwordHash ); if (!validPassword) { return res.status(401).json({ error: 'Invalid credentials' }); } // Generate JWT token const token = jwt.sign( { userId: user.id, email: user.email, role: user.role }, process.env.JWT_SECRET, { expiresIn: '1h', issuer: 'your-app', audience: 'your-app-users' } ); // Generate refresh token const refreshToken = jwt.sign( { userId: user.id }, process.env.JWT_REFRESH_SECRET, { expiresIn: '7d' } ); // Store refresh token in dat