api-security

This guardrail skill is designed for backend engineers and developers building or maintaining RESTful and GraphQL APIs. It provides comprehensive security coverage to prevent common vulnerabilities, focusing on secure-by-design principles. The skill monitors for insecure patterns such as missing authentication, improper authorization, unvalidated user input, and lack of rate limiting. By providing real-time best practices, it helps teams implement robust defenses against injection attacks, cross-site scripting (XSS), and data exposure, ensuring compliance with industry standards like the OWASP Top 10.

• Enforces strict authentication (JWT, token standards) and granular authorization checks.

• Automates input validation logic using Pydantic or equivalent framework-native validators.

• Prohibits SQL injection by mandating parameterized queries and secure ORM usage.

• Mitigates XSS through output sanitization, Content Security Policy (CSP) headers, and secure content handling.

• Implements rate limiting and throttling to prevent Denial of Service (DoS) and brute-force attacks.

• Protects against common API vulnerabilities like insecure direct object references (IDOR) and broken function-level authorization.

• Activate this skill when creating new endpoints, modifying request handlers, or updating middleware.

• Use it during code reviews to identify hardcoded secrets, lack of error handling, or insecure database interactions.

• It acts as an interactive security checklist, providing code snippets for implementation patterns in Python, JavaScript, and Node.js.

• Input requirements include endpoint definitions, route structures, and data schemas.

• Expected outputs are secure, production-ready code blocks adhering to hardening standards.