Backend API Security Skill
This skill provides comprehensive guidelines and patterns for securing backend APIs and handling sensitive authentication logic. It is based on the wshobson/agents security-auditor workflows.
Core Capabilities
- •Secure Authentication: Implementation of OAuth2, OpenID Connect, and JWT (JSON Web Tokens) with proper signing and rotation.
- •Granular Authorization: Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) patterns.
- •API Hardening:
- •Rate limiting and throttling.
- •Input validation and sanitization to prevent injection (SQLi, NoSQLi).
- •Proper CORS (Cross-Origin Resource Sharing) and CSP (Content Security Policy) configuration.
- •Secret Management: Best practices for storing and accessing API keys, certificates, and environment variables (e.g., HashiCorp Vault, AWS Secrets Manager).
- •Security Auditing: SAST (Static Application Security Testing) and automated dependency scanning.
Usage Guidelines
- •Defense in Depth: Never rely on a single security measure. Combine authentication, authorization, and validation.
- •Principle of Least Privilege: Ensure users and services only have the minimum permissions required.
- •Fail Securely: Systems should default to a secure state in case of an error.
- •Encrypt at Rest and in Transit: Use TLS for all API communications and encrypt sensitive data in the database.
Example Prompts
- •"Implement a JWT-based authentication flow for the ExifTool service."
- •"Apply rate limiting to the metadata injection endpoint to prevent brute-force attacks."
- •"Perform a security audit of the current Python backend and suggest hardening measures."
- •"Configure secure CORS settings for the frontend-to-backend communication."