Api Security Review

What it does

This skill provides a comprehensive security checklist for API endpoint development, ensuring proper authentication, authorization, input validation, output safety, and security logging are implemented before deployment. It helps developers proactively identify and address potential vulnerabilities in their APIs, contributing to more secure applications. The skill includes example code snippets demonstrating authentication patterns using Next.js (with Clerk), Express.js (with JWT), FastAPI (with OAuth2), and Django REST Framework.

When to use it

• Before merging any pull request (PR) with API changes.
• When creating new API endpoints.
• When modifying authentication/authorization logic.
• During security audits of existing APIs.
• For code review of API routes.

Key capabilities

• Authentication Checks: Verifies user identity before processing requests.
• Authorization Checks: Ensures ownership and permission checks are implemented.
• Input Validation: Requires all inputs to be validated using schema definitions (e.g., Zod, Joi).
• Output Safety: Prevents exposure of sensitive data in API responses.
• Security Logging: Ensures security events are logged appropriately.
• Rate Limiting: Encourages configuration for protection against abuse.
• Error Handling: Checks that no system information is leaked in error messages.
• Example Code Snippets: Provides authentication examples using Next.js, Express.js, FastAPI, and Django REST Framework.

Example prompts

• "Review this API route for security vulnerabilities."
• "Check the authentication logic in this endpoint."
• "Perform a pre-deployment security audit on this API code."

Tips & gotchas

• The skill focuses specifically on API security; it does not cover broader development tasks.
• It assumes familiarity with common authentication patterns and technologies like JWT, OAuth2, and Clerk.
• Input validation requires the use of schema definition libraries such as Zod or Joi.