Api Hardening

What it does

This skill provides guidance and code examples for API hardening, focusing on defense-in-depth strategies to protect APIs from abuse, injection attacks, and data leakage. It specifically demonstrates rate limiting implementation using Express.js and Redis, offering different configurations for general API usage, authentication endpoints, and password reset requests. The goal is to prevent brute force attacks, accidental or intentional DDoS events, and unexpected cloud provider costs.

When to use it

• When building APIs that require protection against abuse and malicious attacks.
• During the development of authentication flows where limiting login attempts is crucial.
• To implement rate limits for password reset functionality to prevent misuse.
• When needing guidance on securing Express.js applications with rate limiting.

Key capabilities

• Provides code examples for implementing API rate limiting in Express.js.
• Demonstrates the use of express-rate-limit and Redis for storing rate limit data.
• Offers different rate limiting configurations based on endpoint sensitivity (general, authentication, password reset).
• Includes example logic to skip rate limiting for health check endpoints.
• Shows how to customize rate limits by combining IP address and email in the key generator for authentication.

Example prompts

• "Show me an example of implementing a general API rate limit using Express.js."
• "How can I rate limit login attempts with Express.js, considering both IP address and email?"
• "Give me code to set up a password reset rate limiter in my Express.js application."

Tips & gotchas

• Requires an active Redis server accessible via the REDIS_URL environment variable.
• The provided examples are specific to Express.js; adaptation may be needed for other frameworks.
• Consider carefully choosing appropriate rate limit values (max) based on your application's needs and expected traffic.