AgentSkillsCN

Api Security Best Practices

API 安全最佳实践

SKILL.md

API Security Best Practices

Overview

Guide developers in building secure APIs by implementing authentication, authorization, input validation, rate limiting, and protection against common vulnerabilities. This skill covers security patterns for REST, GraphQL, and WebSocket APIs.

When to Use This Skill

  • Use when designing new API endpoints
  • Use when securing existing APIs
  • Use when implementing authentication and authorization
  • Use when protecting against API attacks (injection, DDoS, etc.)
  • Use when conducting API security reviews
  • Use when preparing for security audits
  • Use when implementing rate limiting and throttling
  • Use when handling sensitive data in APIs

How It Works

Step 1: Authentication & Authorization

Help implement secure authentication:

  • Choose authentication method (JWT, OAuth 2.0, API keys)
  • Implement token-based authentication
  • Set up role-based access control (RBAC)
  • Secure session management
  • Implement multi-factor authentication (MFA)

Step 2: Input Validation & Sanitization

Protect against injection attacks:

  • Validate all input data
  • Sanitize user inputs
  • Use parameterized queries
  • Implement request schema validation
  • Prevent SQL injection, XSS, and command injection

Step 3: Rate Limiting & Throttling

Prevent abuse and DDoS attacks:

  • Implement rate limiting per user/IP
  • Set up API throttling
  • Configure request quotas
  • Handle rate limit errors gracefully
  • Monitor for suspicious activity

Step 4: Data Protection

Secure sensitive data:

  • Encrypt data in transit (HTTPS/TLS)
  • Encrypt sensitive data at rest
  • Implement proper error handling (no data leaks)
  • Sanitize error messages
  • Use secure headers

Step 5: API Security Testing

Verify security implementation:

  • Test authentication and authorization
  • Perform penetration testing
  • Check for common vulnerabilities (OWASP API Top 10)
  • Validate input handling
  • Test rate limiting

Best Practices

Do This

  • Use HTTPS Everywhere - Never send sensitive data over HTTP
  • Implement Authentication - Require authentication for protected endpoints
  • Validate All Inputs - Never trust user input
  • Use Parameterized Queries - Prevent SQL injection
  • Implement Rate Limiting - Protect against brute force and DDoS
  • Hash Passwords - Use bcrypt with salt rounds >= 10
  • Use Short-Lived Tokens - JWT access tokens should expire quickly
  • Implement CORS Properly - Only allow trusted origins
  • Log Security Events - Monitor for suspicious activity
  • Keep Dependencies Updated - Regularly update packages
  • Use Security Headers - Implement Helmet.js
  • Sanitize Error Messages - Don't leak sensitive information

Don't Do This

  • Don't Store Passwords in Plain Text - Always hash passwords
  • Don't Use Weak Secrets - Use strong, random JWT secrets
  • Don't Trust User Input - Always validate and sanitize
  • Don't Expose Stack Traces - Hide error details in production
  • Don't Use String Concatenation for SQL - Use parameterized queries
  • Don't Store Sensitive Data in JWT - JWTs are not encrypted
  • Don't Ignore Security Updates - Update dependencies regularly
  • Don't Use Default Credentials - Change all default passwords
  • Don't Disable CORS Completely - Configure it properly instead
  • Don't Log Sensitive Data - Sanitize logs

Common Pitfalls

Problem: JWT Secret Exposed in Code

Symptoms: JWT secret hardcoded or committed to Git

Solution: Use environment variables with validation. Generate strong secrets using cryptographic methods and require them before application startup.

Problem: Weak Password Requirements

Symptoms: Users can set weak passwords

Solution: Enforce minimum 12 characters, uppercase/lowercase letters, numbers, and special characters. Consider using entropy-checking libraries.

Problem: Missing Authorization Checks

Symptoms: Users can access resources they shouldn't

Solution: Check both authentication and authorization on every request. Verify user ownership or role for each protected resource.

Problem: Verbose Error Messages

Symptoms: Error messages reveal system details

Solution: Log full errors internally; return generic messages to clients.

Security Checklist

Authentication & Authorization

  • Implement strong authentication (JWT, OAuth 2.0)
  • Use HTTPS for all endpoints
  • Hash passwords with bcrypt (salt rounds >= 10)
  • Implement token expiration
  • Add refresh token mechanism
  • Verify user authorization for each request
  • Implement role-based access control (RBAC)

Input Validation

  • Validate all user inputs
  • Use parameterized queries or ORM
  • Sanitize HTML content
  • Validate file uploads
  • Implement request schema validation
  • Use allowlists, not blocklists

Rate Limiting & DDoS Protection

  • Implement rate limiting per user/IP
  • Add stricter limits for auth endpoints
  • Use Redis for distributed rate limiting
  • Return proper rate limit headers
  • Implement request throttling

Data Protection

  • Use HTTPS/TLS for all traffic
  • Encrypt sensitive data at rest
  • Don't store sensitive data in JWT
  • Sanitize error messages
  • Implement proper CORS configuration
  • Use security headers (Helmet.js)

Monitoring & Logging

  • Log security events
  • Monitor for suspicious activity
  • Set up alerts for failed auth attempts
  • Track API usage patterns
  • Don't log sensitive data

OWASP API Security Top 10

  1. Broken Object Level Authorization - Always verify user can access resource
  2. Broken Authentication - Implement strong authentication mechanisms
  3. Broken Object Property Level Authorization - Validate which properties user can access
  4. Unrestricted Resource Consumption - Implement rate limiting and quotas
  5. Broken Function Level Authorization - Verify user role for each function
  6. Unrestricted Access to Sensitive Business Flows - Protect critical workflows
  7. Server Side Request Forgery (SSRF) - Validate and sanitize URLs
  8. Security Misconfiguration - Use security best practices and headers
  9. Improper Inventory Management - Document and secure all API endpoints
  10. Unsafe Consumption of APIs - Validate data from third-party APIs