AgentSkillsCN

api-security-best-practices

实施安全的 API 设计模式,包括身份验证、授权、输入校验、速率限制,以及防范常见 API 漏洞的防护措施。

SKILL.md
--- frontmatter
version: 4.1.0-fractal
name: api-security-best-practices
description: "Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities"

API Security Best Practices

Overview

Guide developers in building secure APIs by implementing authentication, authorization, input validation, rate limiting, and protection against common vulnerabilities. This skill covers security patterns for REST, GraphQL, and WebSocket APIs.

When to Use This Skill

  • Use when designing new API endpoints
  • Use when securing existing APIs
  • Use when implementing authentication and authorization
  • Use when protecting against API attacks (injection, DDoS, etc.)
  • Use when conducting API security reviews
  • Use when preparing for security audits
  • Use when implementing rate limiting and throttling
  • Use when handling sensitive data in APIs

How It Works

🧠 Knowledge Modules (Fractal Skills)

1. Step 1: Authentication & Authorization

2. Step 2: Input Validation & Sanitization

3. Step 3: Rate Limiting & Throttling

4. Step 4: Data Protection

5. Step 5: API Security Testing

6. Example 1: Implementing JWT Authentication

7. Authentication Flow

8. Implementation

9. Security Best Practices

10. Example 2: Input Validation and SQL Injection Prevention

11. The Problem

12. The Solution

13. Validation Checklist

14. Example 3: Rate Limiting and DDoS Protection

15. Why Rate Limiting?

16. Implementation with Express Rate Limit

17. Advanced: Per-User Rate Limiting

18. DDoS Protection with Helmet

19. Rate Limit Response Headers

20. ✅ Do This

21. ❌ Don't Do This

22. Problem: JWT Secret Exposed in Code

23. Problem: Weak Password Requirements

24. Problem: Missing Authorization Checks

25. Problem: Verbose Error Messages

26. Authentication & Authorization

27. Input Validation

28. Rate Limiting & DDoS Protection

29. Data Protection

30. Monitoring & Logging