Skills

api-security-checker

Installation
SKILL.md

API Security Checker

Audit API security and identify vulnerabilities based on OWASP Top 10.

Quick Start

Check authentication, validate inputs, prevent SQL injection, implement rate limiting, use HTTPS.

Instructions

OWASP Top 10 for APIs

1. Broken Object Level Authorization:

// Bad: No authorization check
app.get('/api/users/:id', (req, res) => {
  const user = await User.findById(req.params.id);
  res.json(user);
});

// Good: Check ownership
app.get('/api/users/:id', auth, async (req, res) => {
  if (req.user.id !== req.params.id && !req.user.isAdmin) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  const user = await User.findById(req.params.id);
  res.json(user);
});

2. Broken Authentication:

// Bad: Weak password requirements
const isValidPassword = (password) => password.length >= 6;

// Good: Strong requirements
const isValidPassword = (password) => {
  return password.length >= 12 &&
    /[A-Z]/.test(password) &&
    /[a-z]/.test(password) &&
    /[0-9]/.test(password) &&
    /[^A-Za-z0-9]/.test(password);
};

// Implement rate limiting
const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // 5 attempts
  message: 'Too many login attempts'
});

app.post('/api/login', loginLimiter, loginHandler);

3. Excessive Data Exposure:

// Bad: Exposing sensitive data
app.get('/api/users/:id', async (req, res) => {
  const user = await User.findById(req.params.id);
  res.json(user); // Includes password hash, email, etc.
});

// Good: Return only necessary fields
app.get('/api/users/:id', async (req, res) => {
  const user = await User.findById(req.params.id)
    .select('id username avatar');
  res.json(user);
});

4. Lack of Resources & Rate Limiting:

const rateLimit = require('express-rate-limit');

const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // 100 requests per window
  standardHeaders: true,
  legacyHeaders: false,
});

app.use('/api/', apiLimiter);

5. Broken Function Level Authorization:

// Bad: No role check
app.delete('/api/users/:id', auth, deleteUser);

// Good: Check admin role
app.delete('/api/users/:id', auth, requireAdmin, deleteUser);

function requireAdmin(req, res, next) {
  if (!req.user.isAdmin) {
    return res.status(403).json({ error: 'Admin access required' });
  }
  next();
}

6. Mass Assignment:

// Bad: Accepting all fields
app.put('/api/users/:id', async (req, res) => {
  await User.update(req.params.id, req.body); // Can set isAdmin!
});

// Good: Whitelist fields
app.put('/api/users/:id', async (req, res) => {
  const { name, email, avatar } = req.body;
  await User.update(req.params.id, { name, email, avatar });
});

7. Security Misconfiguration:

// Set security headers
const helmet = require('helmet');
app.use(helmet());

// Disable X-Powered-By
app.disable('x-powered-by');

// CORS configuration
const cors = require('cors');
app.use(cors({
  origin: process.env.ALLOWED_ORIGINS.split(','),
  credentials: true
}));

8. Injection:

// Bad: SQL injection vulnerable
const query = `SELECT * FROM users WHERE email = '${email}'`;

// Good: Parameterized query
const query = 'SELECT * FROM users WHERE email = $1';
const result = await db.query(query, [email]);

// Input validation
const { body, validationResult } = require('express-validator');

app.post('/api/users',
  body('email').isEmail().normalizeEmail(),
  body('name').trim().escape(),
  async (req, res) => {
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
      return res.status(400).json({ errors: errors.array() });
    }
    // Process request
  }
);

9. Improper Assets Management:

// Document API versions
// Deprecate old versions
// Remove unused endpoints

// Version API
app.use('/api/v1', v1Routes);
app.use('/api/v2', v2Routes);

// Deprecation header
app.use('/api/v1', (req, res, next) => {
  res.set('Deprecation', 'true');
  res.set('Sunset', 'Sat, 31 Dec 2024 23:59:59 GMT');
  next();
});

10. Insufficient Logging & Monitoring:

const winston = require('winston');

const logger = winston.createLogger({
  level: 'info',
  format: winston.format.json(),
  transports: [
    new winston.transports.File({ filename: 'error.log', level: 'error' }),
    new winston.transports.File({ filename: 'combined.log' })
  ]
});

// Log security events
app.post('/api/login', async (req, res) => {
  try {
    const user = await authenticate(req.body);
    logger.info('Login successful', { userId: user.id, ip: req.ip });
    res.json({ token: generateToken(user) });
  } catch (error) {
    logger.warn('Login failed', { email: req.body.email, ip: req.ip });
    res.status(401).json({ error: 'Invalid credentials' });
  }
});

Authentication Security

JWT best practices:

const jwt = require('jsonwebtoken');

// Generate token
const generateToken = (user) => {
  return jwt.sign(
    { id: user.id, email: user.email },
    process.env.JWT_SECRET,
    { expiresIn: '15m' } // Short expiry
  );
};

// Generate refresh token
const generateRefreshToken = (user) => {
  return jwt.sign(
    { id: user.id },
    process.env.REFRESH_SECRET,
    { expiresIn: '7d' }
  );
};

// Verify token
const verifyToken = (req, res, next) => {
  const token = req.headers.authorization?.split(' ')[1];
  
  if (!token) {
    return res.status(401).json({ error: 'No token provided' });
  }
  
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    req.user = decoded;
    next();
  } catch (error) {
    return res.status(401).json({ error: 'Invalid token' });
  }
};

Password hashing:

const bcrypt = require('bcrypt');

// Hash password
const hashPassword = async (password) => {
  const salt = await bcrypt.genSalt(12);
  return bcrypt.hash(password, salt);
};

// Verify password
const verifyPassword = async (password, hash) => {
  return bcrypt.compare(password, hash);
};

Input Validation

Sanitize inputs:

const validator = require('validator');

// Email validation
if (!validator.isEmail(email)) {
  return res.status(400).json({ error: 'Invalid email' });
}

// URL validation
if (!validator.isURL(url)) {
  return res.status(400).json({ error: 'Invalid URL' });
}

// Escape HTML
const sanitized = validator.escape(userInput);

Schema validation:

const Joi = require('joi');

const userSchema = Joi.object({
  email: Joi.string().email().required(),
  password: Joi.string().min(12).required(),
  name: Joi.string().min(2).max(50).required()
});

app.post('/api/users', async (req, res) => {
  const { error, value } = userSchema.validate(req.body);
  if (error) {
    return res.status(400).json({ error: error.details[0].message });
  }
  // Process validated data
});

Authorization

Role-Based Access Control (RBAC):

const roles = {
  user: ['read:own'],
  admin: ['read:any', 'write:any', 'delete:any']
};

const checkPermission = (permission) => {
  return (req, res, next) => {
    const userPermissions = roles[req.user.role] || [];
    if (!userPermissions.includes(permission)) {
      return res.status(403).json({ error: 'Insufficient permissions' });
    }
    next();
  };
};

app.delete('/api/users/:id',
  auth,
  checkPermission('delete:any'),
  deleteUser
);

HTTPS and Transport Security

Force HTTPS:

app.use((req, res, next) => {
  if (req.header('x-forwarded-proto') !== 'https' && process.env.NODE_ENV === 'production') {
    res.redirect(`https://${req.header('host')}${req.url}`);
  } else {
    next();
  }
});

Security headers:

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      scriptSrc: ["'self'"],
      imgSrc: ["'self'", 'data:', 'https:']
    }
  },
  hsts: {
    maxAge: 31536000,
    includeSubDomains: true,
    preload: true
  }
}));

CORS Configuration

const corsOptions = {
  origin: (origin, callback) => {
    const allowedOrigins = process.env.ALLOWED_ORIGINS.split(',');
    if (!origin || allowedOrigins.includes(origin)) {
      callback(null, true);
    } else {
      callback(new Error('Not allowed by CORS'));
    }
  },
  credentials: true,
  optionsSuccessStatus: 200
};

app.use(cors(corsOptions));

API Key Security

const apiKeyAuth = (req, res, next) => {
  const apiKey = req.header('X-API-Key');
  
  if (!apiKey) {
    return res.status(401).json({ error: 'API key required' });
  }
  
  // Verify API key (use hashed comparison)
  const isValid = await verifyApiKey(apiKey);
  if (!isValid) {
    return res.status(401).json({ error: 'Invalid API key' });
  }
  
  next();
};

Security Checklist

Authentication:

  • Strong password requirements
  • Password hashing (bcrypt, argon2)
  • JWT with short expiry
  • Refresh token mechanism
  • Rate limiting on auth endpoints
  • MFA for sensitive operations

Authorization:

  • Check user permissions
  • Validate resource ownership
  • Implement RBAC or ABAC
  • Principle of least privilege

Input Validation:

  • Validate all inputs
  • Sanitize user data
  • Use parameterized queries
  • Whitelist allowed fields
  • Validate file uploads

Transport Security:

  • HTTPS only
  • Security headers (Helmet)
  • CORS configured properly
  • HSTS enabled

API Security:

  • Rate limiting
  • API versioning
  • Error handling (no stack traces)
  • Logging security events
  • API documentation

Data Protection:

  • Encrypt sensitive data
  • Secure session storage
  • No secrets in code
  • Environment variables
  • Regular security audits

Best Practices

Defense in depth:

  • Multiple security layers
  • Fail securely
  • Least privilege
  • Regular updates

Secure defaults:

  • HTTPS required
  • Strong authentication
  • Input validation
  • Rate limiting enabled

Monitoring:

  • Log security events
  • Monitor for anomalies
  • Alert on suspicious activity
  • Regular security audits
Related skills

More from armanzeroeight/fastagent-plugins

Installs
8
Repository
armanzeroeight/…-plugins
GitHub Stars
27
First Seen
Feb 4, 2026
Security Audits
Gen Agent Trust HubFail
SocketPass
SnykPass