api-security-best-practices

What it does

This skill equips AI agents with a comprehensive framework for implementing robust API security measures, including authentication, authorization, and data protection strategies. It provides actionable guidance to secure endpoints against common vulnerabilities like injection attacks and unauthorized access.

When to use it

• Designing new REST or GraphQL APIs that require strict access control mechanisms.
• Auditing existing API implementations for potential security gaps before deployment.
• Generating code snippets that enforce secure headers, rate limiting, and encryption.
• Creating incident response plans for suspected API breaches or token theft.

Key capabilities

• Implements OAuth2 and OIDC authentication flows.
• Enforces role-based access control (RBAC) policies.
• Configures HTTPS/TLS encryption standards.
• Applies input validation to prevent SQL injection and XSS.
• Sets up rate limiting and throttling mechanisms.
• Generates security headers like CSP and HSTS.

Example prompts

"Generate a secure Python FastAPI endpoint that requires JWT authentication and validates user roles." "List the top 5 security misconfigurations I should check in my Node.js Express API before launching to production." "Create a checklist for securing an OpenAPI specification with proper rate limiting and encryption settings."

Tips & gotchas

Ensure your AI agent has access to up-to-date vulnerability databases, as threat landscapes evolve rapidly. Always test generated security configurations in a sandboxed environment before applying them to live systems to avoid unintended service disruptions.