api-security-hardening

API Security Hardening

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "api-security-hardening" with this command: npx skills add secondsky/claude-skills/secondsky-claude-skills-api-security-hardening

API Security Hardening

Protect REST APIs against common vulnerabilities with multiple security layers.

Security Middleware Stack (Express)

const helmet = require('helmet'); const rateLimit = require('express-rate-limit'); const mongoSanitize = require('express-mongo-sanitize'); const xss = require('xss-clean');

app.use(helmet()); app.use(mongoSanitize()); app.use(xss());

app.use('/api/', rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));

app.use('/api/auth/', rateLimit({ windowMs: 15 * 60 * 1000, max: 5 }));

Input Validation

const { body, validationResult } = require('express-validator');

app.post('/users', body('email').isEmail().normalizeEmail(), body('password').isLength({ min: 8 }).matches(/[A-Z]/).matches(/[0-9]/), body('name').trim().escape().isLength({ max: 100 }), (req, res) => { const errors = validationResult(req); if (!errors.isEmpty()) { return res.status(400).json({ errors: errors.array() }); } // Process request } );

Security Headers

app.use((req, res, next) => { res.setHeader('Content-Security-Policy', "default-src 'self'"); res.setHeader('X-Frame-Options', 'DENY'); res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); res.setHeader('X-XSS-Protection', '1; mode=block'); next(); });

Security Checklist

  • HTTPS everywhere

  • Authentication on all protected routes

  • Input validation and sanitization

  • Rate limiting enabled

  • Security headers configured

  • CORS restricted to allowed origins

  • No stack traces in production errors

  • Audit logging enabled

  • Dependencies regularly updated

Additional Implementations

See references/python-nginx.md for:

  • Python FastAPI security middleware

  • Pydantic input validation with password rules

  • Nginx SSL/TLS and security headers configuration

  • HTTP Parameter Pollution prevention

Never Do

  • Trust user input without validation

  • Return detailed errors in production

  • Store secrets in code

  • Use GET for state-changing operations

  • Disable security for convenience

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

web-performance-audit

No summary provided by upstream source.

Repository SourceNeeds Review
-65
secondsky
Security

vulnerability-scanning

No summary provided by upstream source.

Repository SourceNeeds Review
-58
secondsky
Security

workers-security

No summary provided by upstream source.

Repository SourceNeeds Review
-58
secondsky