playbooks

home / skills / secondsky / claude-skills / api-security-hardening

api-security-hardening skill

/plugins/api-security-hardening/skills/api-security-hardening

This skill helps harden REST APIs by applying authentication, rate limiting, input validation, and security headers across routes for production security.

npx playbooks add skill secondsky/claude-skills --skill api-security-hardening

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
2.4 KB
---
name: api-security-hardening
description: REST API security hardening with authentication, rate limiting, input validation, security headers. Use for production APIs, security audits, defense-in-depth, or encountering vulnerabilities, injection attacks, CORS issues.
---

# API Security Hardening

Protect REST APIs against common vulnerabilities with multiple security layers.

## Security Middleware Stack (Express)

```javascript
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');

app.use(helmet());
app.use(mongoSanitize());
app.use(xss());

app.use('/api/', rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100
}));

app.use('/api/auth/', rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 5
}));
```

## Input Validation

```javascript
const { body, validationResult } = require('express-validator');

app.post('/users',
  body('email').isEmail().normalizeEmail(),
  body('password').isLength({ min: 8 }).matches(/[A-Z]/).matches(/[0-9]/),
  body('name').trim().escape().isLength({ max: 100 }),
  (req, res) => {
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
      return res.status(400).json({ errors: errors.array() });
    }
    // Process request
  }
);
```

## Security Headers

```javascript
app.use((req, res, next) => {
  res.setHeader('Content-Security-Policy', "default-src 'self'");
  res.setHeader('X-Frame-Options', 'DENY');
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
  res.setHeader('X-XSS-Protection', '1; mode=block');
  next();
});
```

## Security Checklist

- [ ] HTTPS everywhere
- [ ] Authentication on all protected routes
- [ ] Input validation and sanitization
- [ ] Rate limiting enabled
- [ ] Security headers configured
- [ ] CORS restricted to allowed origins
- [ ] No stack traces in production errors
- [ ] Audit logging enabled
- [ ] Dependencies regularly updated

## Additional Implementations

See [references/python-nginx.md](references/python-nginx.md) for:
- Python FastAPI security middleware
- Pydantic input validation with password rules
- Nginx SSL/TLS and security headers configuration
- HTTP Parameter Pollution prevention

## Never Do

- Trust user input without validation
- Return detailed errors in production
- Store secrets in code
- Use GET for state-changing operations
- Disable security for convenience

Overview

This skill hardens REST APIs by applying layered security controls including authentication, rate limiting, input validation, and strong security headers. It provides practical middleware patterns, validation rules, and a concise checklist to move APIs toward production readiness. Use it to reduce attack surface and enforce defense-in-depth across services.

How this skill works

The skill outlines a middleware stack that integrates common Express utilities (helmet, rate limiting, input sanitizers, XSS protection) and demonstrates route-level limits for sensitive endpoints. It shows concrete input validation rules using express-validator and illustrates explicit security headers and HSTS to protect clients and servers. A compact checklist and recommended ‘‘never do’’ rules guide secure operational practices and audits.

When to use it

  • Preparing an API for production deployment
  • Conducting a security audit or penetration test remediation
  • Mitigating injection, XSS, or parameter pollution risks
  • Restricting abusive clients and brute-force attempts with rate limits
  • Fixing CORS, header, or transport-security misconfigurations

Best practices

  • Enforce HTTPS everywhere and enable HSTS with a long max-age
  • Authenticate and authorize all protected routes; treat authentication endpoints cautiously with stricter rate limits
  • Validate and sanitize all input, never trust client data; use schema validation where possible
  • Set explicit security headers (CSP, X-Frame-Options, X-Content-Type-Options) and avoid exposing stack traces
  • Rotate secrets and avoid embedding credentials in source; keep dependencies updated and audit them regularly

Example use cases

  • Apply middleware stack to an Express API serving user accounts and payment endpoints
  • Harden authentication routes with tight rate limits to prevent credential stuffing
  • Add express-validator rules for signup and password complexity checks
  • Configure CSP and X-Content-Type-Options for an API used by single-page applications
  • Run the security checklist during pre-release and incident response to ensure key controls are present

FAQ

How do I choose rate limit values?

Start with conservative defaults (e.g., 100 requests per 15 minutes for general API, 5 per 15 minutes for auth endpoints) and adjust based on legitimate traffic patterns and monitoring.

Can these patterns be applied to frameworks other than Express?

Yes. The concepts—rate limiting, input validation, sanitization, and security headers—map to other frameworks like FastAPI, Django, or Spring; use their native middleware and validation libraries.