MR
Mayur Rathi
@mayurrathi
⭐ 40.7k GitHub stars

Api Security Best Practices

Api Security Best Practices is an design AI skill with a core value of Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities. It helps developers solve real-world problems in the design domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities

Last verified on: 2026-07-07

Quick Facts

Category design
Works With Claude
Source sickn33/antigravity-awesome-skills
Stars ⭐ 40.7k
Last Verified 2026-07-07
Risk Level Low
mkdir -p ./skills/api-security-best-practices && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/api-security-best-practices/SKILL.md -o ./skills/api-security-best-practices/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# API Security Best Practices


Overview


Guide developers in building secure APIs by implementing authentication, authorization, input validation, rate limiting, and protection against common vulnerabilities. This skill covers security patterns for REST, GraphQL, and WebSocket APIs.


When to Use This Skill


- Use when designing new API endpoints

- Use when securing existing APIs

- Use when implementing authentication and authorization

- Use when protecting against API attacks (injection, DDoS, etc.)

- Use when conducting API security reviews

- Use when preparing for security audits

- Use when implementing rate limiting and throttling

- Use when handling sensitive data in APIs


How It Works


Step 1: Authentication & Authorization


I'll help you implement secure authentication:

- Choose authentication method (JWT, OAuth 2.0, API keys)

- Implement token-based authentication

- Set up role-based access control (RBAC)

- Secure session management

- Implement multi-factor authentication (MFA)


Step 2: Input Validation & Sanitization


Protect against injection attacks:

- Validate all input data

- Sanitize user inputs

- Use parameterized queries

- Implement request schema validation

- Prevent SQL injection, XSS, and command injection


Step 3: Rate Limiting & Throttling


Prevent abuse and DDoS attacks:

- Implement rate limiting per user/IP

- Set up API throttling

- Configure request quotas

- Handle rate limit errors gracefully

- Monitor for suspicious activity


Step 4: Data Protection


Secure sensitive data:

- Encrypt data in transit (HTTPS/TLS)

- Encrypt sensitive data at rest

- Implement proper error handling (no data leaks)

- Sanitize error messages

- Use secure headers


Step 5: API Security Testing


Verify security implementation:

- Test authentication and authorization

- Perform penetration testing

- Check for common vulnerabilities (OWASP API Top 10)

- Validate input handling

- Test rate limiting



Examples


Example 1: Implementing JWT Authentication


markdown
## Secure JWT Authentication Implementation

### Authentication Flow

1. User logs in with credentials
2. Server validates credentials
3. Server generates JWT token
4. Client stores token securely
5. Client sends token with each request
6. Server validates token

### Implementation

#### 1. Generate Secure JWT Tokens

\`\`\`javascript
// auth.js
const jwt = require('jsonwebtoken');
const bcrypt = require('bcrypt');

// Login endpoint
app.post('/api/auth/login', async (req, res) => {
  try {
    const { email, password } = req.body;
    
    // Validate input
    if (!email || !password) {
      return res.status(400).json({ 
        error: 'Email and password are required' 
      });
    }
    
    // Find user
    const user = await db.user.findUnique({ 
      where: { email } 
    });
    
    if (!user) {
      // Don't reveal if user exists
      return res.status(401).json({ 
        error: 'Invalid credentials' 
      });
    }
    
    // Verify password
    const validPassword = await bcrypt.compare(
      password, 
      user.passwordHash
    );
    
    if (!validPassword) {
      return res.status(401).json({ 
        error: 'Invalid credentials' 
      });
    }
    
    // Generate JWT token
    const token = jwt.sign(
      { 
        userId: user.id,
        email: user.email,
        role: user.role
      },
      process.env.JWT_SECRET,
      { 
        expiresIn: '1h',
        issuer: 'your-app',
        audience: 'your-app-users'
      }
    );
    
    // Generate refresh token
    const refreshToken = jwt.sign(
      { userId: user.id },
      process.env.JWT_REFRESH_SECRET,
      { expiresIn: '7d' }
    );
    
    // Store refresh token in database
    await db.refreshToken.create({
      data: {
        token: refreshToken,
        userId: user.id,
        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)
      }
    });
    
    res.json({
      token,
      refreshToken,
      expiresIn: 3600
    });
  

🎯 Best For

  • Security auditors
  • DevSecOps teams
  • Compliance officers
  • Claude users
  • Designers

💡 Use Cases

  • Auditing dependencies for known CVEs
  • Scanning API endpoints for auth gaps
  • Design system documentation
  • Component specification creation

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Api Security Best Practices to Your Work

    Provide context for your task — paste source material, describe your audience, or share existing work to guide the AI.

  4. 4

    Review and Refine

    Edit the AI output for accuracy, tone, and completeness. Add human insight where the AI lacks context.

❓ Frequently Asked Questions

Can this replace a dedicated SAST tool?

AI-based security review is complementary to SAST tools. Use it as a first-pass filter, not a replacement.

Does Api Security Best Practices generate production-ready design specs?

It generates detailed specifications that developers can use directly. Review and adjust for your specific design system.

How do I install Api Security Best Practices?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/api-security-best-practices/SKILL.md, ready to use.

Can I customize this skill for my team?

Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.

⚠️ Common Mistakes to Avoid

Only scanning surface-level issues

Deep security review requires understanding your app architecture, not just regex patterns.

Not reading the full skill

Skills contain important context and edge cases beyond the quick start.

🔗 Related Skills