api-security-best-practices
Implement API Security Best Practices
Build secure APIs that protect against authentication bypass, injection attacks, and DDoS by implementing JWT authentication, input validation, rate limiting, and OWASP-recommended security patterns.
Download the skill ZIP
Upload in Claude
Go to Settings → Capabilities → Skills → Upload skill
Toggle on and start using
Test it
Using "api-security-best-practices". How do I implement secure JWT authentication?
Expected outcome:
Key implementation steps: 1) Use strong 256-bit JWT secrets from environment variables, 2) Set short expiration (1 hour) for access tokens, 3) Implement refresh tokens stored in database, 4) Verify issuer and audience claims, 5) Use HTTPS only, 6) Implement token blacklist for logout. Example code shows login endpoint with bcrypt password verification and JWT signing.
Using "api-security-best-practices". What rate limiting strategy should I use?
Expected outcome:
Implement tiered rate limiting: 1) General API limit (100 requests per 15 minutes), 2) Stricter limit for auth endpoints (5 attempts per 15 minutes), 3) Per-user limits based on subscription tier, 4) Use Redis for distributed rate limiting, 5) Return proper rate limit headers. Example uses express-rate-limit with Redis store.
Using "api-security-best-practices". How do I prevent SQL injection?
Expected outcome:
Never concatenate user input into SQL queries. Use: 1) Parameterized queries or ORM (Prisma, Sequelize), 2) Input validation with Zod or Joi, 3) Allowlists for data types, 4) Sanitize HTML for XSS with DOMPurify. Example shows vulnerable string concatenation vs safe parameterized query.
Security Audit
SafeThis is a legitimate educational skill about API security best practices. All 117 static findings are false positives: the backtick patterns are markdown code formatting, environment variable access demonstrates proper secret management, URLs are documentation links, and heuristic alerts fire because the skill comprehensively covers security topics together. No actual security risks detected.
Quality Score
What You Can Build
Secure New API Development
Use this skill to guide secure design when building new REST, GraphQL, or WebSocket APIs from scratch
Harden Existing APIs
Review and improve security of existing APIs by implementing authentication, rate limiting, and input validation
Security Audit Preparation
Prepare APIs for security audits by following OWASP Top 10 guidelines and implementing recommended protections
Try These Prompts
Help me implement JWT authentication for my API. I need login, token verification middleware, and token refresh endpoints.
Show me how to prevent SQL injection in my Node.js API. Include parameterized query examples and input validation.
Implement rate limiting for my Express API. I want different limits for regular users versus authentication endpoints.
Review my API against the OWASP API Security Top 10. What vulnerabilities should I check for and how do I fix them?
Best Practices
- Always use HTTPS and enforce TLS for all API traffic
- Validate and sanitize all user input before processing
- Implement defense in depth with multiple security layers
Avoid
- Storing sensitive data in JWT payload (not encrypted)
- Hardcoding secrets in source code
- Exposing detailed error messages in production
Frequently Asked Questions
Does this skill test my API for vulnerabilities?
What authentication methods does this skill cover?
Is this skill only for Node.js APIs?
Does this skill help with compliance?
Can I use this for GraphQL APIs?
How often should I update my API security?
Developer Details
Author
sickn33License
MIT
Repository
https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/api-security-best-practicesRef
main
File structure
📄 SKILL.md