API Security Best Practices

1---
2name: api-security-best-practices
3description: "Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities"
4---
5 
6# API Security Best Practices
7 
8## Overview
9 
10Guide developers in building secure APIs by implementing authentication, authorization, input validation, rate limiting, and protection against common vulnerabilities. This skill covers security patterns for REST, GraphQL, and WebSocket APIs.
11 
12## When to Use This Skill
13 
14- Use when designing new API endpoints
15- Use when securing existing APIs
16- Use when implementing authentication and authorization
17- Use when protecting against API attacks (injection, DDoS, etc.)
18- Use when conducting API security reviews
19- Use when preparing for security audits
20- Use when implementing rate limiting and throttling
21- Use when handling sensitive data in APIs
22 
23## How It Works
24 
25### Step 1: Authentication & Authorization
26 
27I'll help you implement secure authentication:
28- Choose authentication method (JWT, OAuth 2.0, API keys)
29- Implement token-based authentication
30- Set up role-based access control (RBAC)
31- Secure session management
32- Implement multi-factor authentication (MFA)
33 
34### Step 2: Input Validation & Sanitization
35 
36Protect against injection attacks:
37- Validate all input data
38- Sanitize user inputs
39- Use parameterized queries
40- Implement request schema validation
41- Prevent SQL injection, XSS, and command injection
42 
43### Step 3: Rate Limiting & Throttling
44 
45Prevent abuse and DDoS attacks:
46- Implement rate limiting per user/IP
47- Set up API throttling
48- Configure request quotas
49- Handle rate limit errors gracefully
50- Monitor for suspicious activity
51 
52### Step 4: Data Protection
53 
54Secure sensitive data:
55- Encrypt data in transit (HTTPS/TLS)
56- Encrypt sensitive data at rest
57- Implement proper error handling (no data leaks)
58- Sanitize error messages
59- Use secure headers
60 
61### Step 5: API Security Testing
62 
63Verify security implementation:
64- Test authentication and authorization
65- Perform penetration testing
66- Check for common vulnerabilities (OWASP API Top 10)
67- Validate input handling
68- Test rate limiting
69 
70 
71## Examples
72 
73### Example 1: Implementing JWT Authentication
74 
75```markdown
76## Secure JWT Authentication Implementation
77 
78### Authentication Flow
79 
801. User logs in with credentials
812. Server validates credentials
823. Server generates JWT token
834. Client stores token securely
845. Client sends token with each request
856. Server validates token
86 
87### Implementation
88 
89#### 1. Generate Secure JWT Tokens
90 
91\`\`\`javascript
92// auth.js
93const jwt = require('jsonwebtoken');
94const bcrypt = require('bcrypt');
95 
96// Login endpoint
97app.post('/api/auth/login', async (req, res) => {
98  try {
99    const { email, password } = req.body;
100    
101    // Validate input
102    if (!email || !password) {
103      return res.status(400).json({ 
104        error: 'Email and password are required' 
105      });
106    }
107    
108    // Find user
109    const user = await db.user.findUnique({ 
110      where: { email } 
111    });
112    
113    if (!user) {
114      // Don't reveal if user exists
115      return res.status(401).json({ 
116        error: 'Invalid credentials' 
117      });
118    }
119    
120    // Verify password
121    const validPassword = await bcrypt.compare(
122      password, 
123      user.passwordHash
124    );
125    
126    if (!validPassword) {
127      return res.status(401).json({ 
128        error: 'Invalid credentials' 
129      });
130    }
131    
132    // Generate JWT token
133    const token = jwt.sign(
134      { 
135        userId: user.id,
136        email: user.email,
137        role: user.role
138      },
139      process.env.JWT_SECRET,
140      { 
141        expiresIn: '1h',
142        issuer: 'your-app',
143        audience: 'your-app-users'
144      }
145    );
146    
147    // Generate refresh token
148    const refreshToken = jwt.sign(
149      { userId: user.id },
150      process.env.JWT_REFRESH_SECRET,
151      { expiresIn: '7d' }
152    );
153    
154    // Store refresh token in database
155    await db.refreshToken.create({
156      data: {
157        token: refreshToken,
158        userId: user.id,
159        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)
160      }
161    });
162    
163    res.json({
164      token,
165      refreshToken,
166      expiresIn: 3600
167    });
168    
169  } catch (error) {
170    console.error('Login error:', error);
171    res.status(500).json({ 
172      error: 'An error occurred during login' 
173    });
174  }
175});
176\`\`\`
177 
178#### 2. Verify JWT Tokens (Middleware)
179 
180\`\`\`javascript
181// middleware/auth.js
182const jwt = require('jsonwebtoken');
183 
184function authenticateToken(req, res, next) {
185  // Get token from header
186  const authHeader = req.headers['authorization'];
187  const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN
188  
189  if (!token) {
190    return res.status(401).json({ 
191      error: 'Access token required' 
192    });
193  }
194  
195  // Verify token
196  jwt.verify(
197    token, 
198    process.env.JWT_SECRET,
199    { 
200      issuer: 'your-app',
201      audience: 'your-app-users'
202    },
203    (err, user) => {
204      if (err) {
205        if (err.name === 'TokenExpiredError') {
206          return res.status(401).json({ 
207            error: 'Token expired' 
208          });
209        }
210        return res.status(403).json({ 
211          error: 'Invalid token' 
212        });
213      }
214      
215      // Attach user to request
216      req.user = user;
217      next();
218    }
219  );
220}
221 
222module.exports = { authenticateToken };
223\`\`\`
224 
225#### 3. Protect Routes
226 
227\`\`\`javascript
228const { authenticateToken } = require('./middleware/auth');
229 
230// Protected route
231app.get('/api/user/profile', authenticateToken, async (req, res) => {
232  try {
233    const user = await db.user.findUnique({
234      where: { id: req.user.userId },
235      select: {
236        id: true,
237        email: true,
238        name: true,
239        // Don't return passwordHash
240      }
241    });
242    
243    res.json(user);
244  } catch (error) {
245    res.status(500).json({ error: 'Server error' });
246  }
247});
248\`\`\`
249 
250#### 4. Implement Token Refresh
251 
252\`\`\`javascript
253app.post('/api/auth/refresh', async (req, res) => {
254  const { refreshToken } = req.body;
255  
256  if (!refreshToken) {
257    return res.status(401).json({ 
258      error: 'Refresh token required' 
259    });
260  }
261  
262  try {
263    // Verify refresh token
264    const decoded = jwt.verify(
265      refreshToken, 
266      process.env.JWT_REFRESH_SECRET
267    );
268    
269    // Check if refresh token exists in database
270    const storedToken = await db.refreshToken.findFirst({
271      where: {
272        token: refreshToken,
273        userId: decoded.userId,
274        expiresAt: { gt: new Date() }
275      }
276    });
277    
278    if (!storedToken) {
279      return res.status(403).json({ 
280        error: 'Invalid refresh token' 
281      });
282    }
283    
284    // Generate new access token
285    const user = await db.user.findUnique({
286      where: { id: decoded.userId }
287    });
288    
289    const newToken = jwt.sign(
290      { 
291        userId: user.id,
292        email: user.email,
293        role: user.role
294      },
295      process.env.JWT_SECRET,
296      { expiresIn: '1h' }
297    );
298    
299    res.json({
300      token: newToken,
301      expiresIn: 3600
302    });
303    
304  } catch (error) {
305    res.status(403).json({ 
306      error: 'Invalid refresh token' 
307    });
308  }
309});
310\`\`\`
311 
312### Security Best Practices
313 
314- ✅ Use strong JWT secrets (256-bit minimum)
315- ✅ Set short expiration times (1 hour for access tokens)
316- ✅ Implement refresh tokens for long-lived sessions
317- ✅ Store refresh tokens in database (can be revoked)
318- ✅ Use HTTPS only
319- ✅ Don't store sensitive data in JWT payload
320- ✅ Validate token issuer and audience
321- ✅ Implement token blacklisting for logout
322```
323 
324 
325### Example 2: Input Validation and SQL Injection Prevention
326 
327```markdown
328## Preventing SQL Injection and Input Validation
329 
330### The Problem
331 
332**❌ Vulnerable Code:**
333\`\`\`javascript
334// NEVER DO THIS - SQL Injection vulnerability
335app.get('/api/users/:id', async (req, res) => {
336  const userId = req.params.id;
337  
338  // Dangerous: User input directly in query
339  const query = \`SELECT * FROM users WHERE id = '\${userId}'\`;
340  const user = await db.query(query);
341  
342  res.json(user);
343});
344 
345// Attack example:
346// GET /api/users/1' OR '1'='1
347// Returns all users!
348\`\`\`
349 
350### The Solution
351 
352#### 1. Use Parameterized Queries
353 
354\`\`\`javascript
355// ✅ Safe: Parameterized query
356app.get('/api/users/:id', async (req, res) => {
357  const userId = req.params.id;
358  
359  // Validate input first
360  if (!userId || !/^\d+$/.test(userId)) {
361    return res.status(400).json({ 
362      error: 'Invalid user ID' 
363    });
364  }
365  
366  // Use parameterized query
367  const user = await db.query(
368    'SELECT id, email, name FROM users WHERE id = $1',
369    [userId]
370  );
371  
372  if (!user) {
373    return res.status(404).json({ 
374      error: 'User not found' 
375    });
376  }
377  
378  res.json(user);
379});
380\`\`\`
381 
382#### 2. Use ORM with Proper Escaping
383 
384\`\`\`javascript
385// ✅ Safe: Using Prisma ORM
386app.get('/api/users/:id', async (req, res) => {
387  const userId = parseInt(req.params.id);
388  
389  if (isNaN(userId)) {
390    return res.status(400).json({ 
391      error: 'Invalid user ID' 
392    });
393  }
394  
395  const user = await prisma.user.findUnique({
396    where: { id: userId },
397    select: {
398      id: true,
399      email: true,
400      name: true,
401      // Don't select sensitive fields
402    }
403  });
404  
405  if (!user) {
406    return res.status(404).json({ 
407      error: 'User not found' 
408    });
409  }
410  
411  res.json(user);
412});
413\`\`\`
414 
415#### 3. Implement Request Validation with Zod
416 
417\`\`\`javascript
418const { z } = require('zod');
419 
420// Define validation schema
421const createUserSchema = z.object({
422  email: z.string().email('Invalid email format'),
423  password: z.string()
424    .min(8, 'Password must be at least 8 characters')
425    .regex(/[A-Z]/, 'Password must contain uppercase letter')
426    .regex(/[a-z]/, 'Password must contain lowercase letter')
427    .regex(/[0-9]/, 'Password must contain number'),
428  name: z.string()
429    .min(2, 'Name must be at least 2 characters')
430    .max(100, 'Name too long'),
431  age: z.number()
432    .int('Age must be an integer')
433    .min(18, 'Must be 18 or older')
434    .max(120, 'Invalid age')
435    .optional()
436});
437 
438// Validation middleware
439function validateRequest(schema) {
440  return (req, res, next) => {
441    try {
442      schema.parse(req.body);
443      next();
444    } catch (error) {
445      res.status(400).json({
446        error: 'Validation failed',
447        details: error.errors
448      });
449    }
450  };
451}
452 
453// Use validation
454app.post('/api/users', 
455  validateRequest(createUserSchema),
456  async (req, res) => {
457    // Input is validated at this point
458    const { email, password, name, age } = req.body;
459    
460    // Hash password
461    const passwordHash = await bcrypt.hash(password, 10);
462    
463    // Create user
464    const user = await prisma.user.create({
465      data: {
466        email,
467        passwordHash,
468        name,
469        age
470      }
471    });
472    
473    // Don't return password hash
474    const { passwordHash: _, ...userWithoutPassword } = user;
475    res.status(201).json(userWithoutPassword);
476  }
477);
478\`\`\`
479 
480#### 4. Sanitize Output to Prevent XSS
481 
482\`\`\`javascript
483const DOMPurify = require('isomorphic-dompurify');
484 
485app.post('/api/comments', authenticateToken, async (req, res) => {
486  const { content } = req.body;
487  
488  // Validate
489  if (!content || content.length > 1000) {
490    return res.status(400).json({ 
491      error: 'Invalid comment content' 
492    });
493  }
494  
495  // Sanitize HTML to prevent XSS
496  const sanitizedContent = DOMPurify.sanitize(content, {
497    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a'],
498    ALLOWED_ATTR: ['href']
499  });
500  
501  const comment = await prisma.comment.create({
502    data: {
503      content: sanitizedContent,
504      userId: req.user.userId
505    }
506  });
507  
508  res.status(201).json(comment);
509});
510\`\`\`
511 
512### Validation Checklist
513 
514- [ ] Validate all user inputs
515- [ ] Use parameterized queries or ORM
516- [ ] Validate data types (string, number, email, etc.)
517- [ ] Validate data ranges (min/max length, value ranges)
518- [ ] Sanitize HTML content
519- [ ] Escape special characters
520- [ ] Validate file uploads (type, size, content)
521- [ ] Use allowlists, not blocklists
522```
523 
524 
525### Example 3: Rate Limiting and DDoS Protection
526 
527```markdown
528## Implementing Rate Limiting
529 
530### Why Rate Limiting?
531 
532- Prevent brute force attacks
533- Protect against DDoS
534- Prevent API abuse
535- Ensure fair usage
536- Reduce server costs
537 
538### Implementation with Express Rate Limit
539 
540\`\`\`javascript
541const rateLimit = require('express-rate-limit');
542const RedisStore = require('rate-limit-redis');
543const Redis = require('ioredis');
544 
545// Create Redis client
546const redis = new Redis({
547  host: process.env.REDIS_HOST,
548  port: process.env.REDIS_PORT
549});
550 
551// General API rate limit
552const apiLimiter = rateLimit({
553  store: new RedisStore({
554    client: redis,
555    prefix: 'rl:api:'
556  }),
557  windowMs: 15 * 60 * 1000, // 15 minutes
558  max: 100, // 100 requests per window
559  message: {
560    error: 'Too many requests, please try again later',
561    retryAfter: 900 // seconds
562  },
563  standardHeaders: true, // Return rate limit info in headers
564  legacyHeaders: false,
565  // Custom key generator (by user ID or IP)
566  keyGenerator: (req) => {
567    return req.user?.userId || req.ip;
568  }
569});
570 
571// Strict rate limit for authentication endpoints
572const authLimiter = rateLimit({
573  store: new RedisStore({
574    client: redis,
575    prefix: 'rl:auth:'
576  }),
577  windowMs: 15 * 60 * 1000, // 15 minutes
578  max: 5, // Only 5 login attempts per 15 minutes
579  skipSuccessfulRequests: true, // Don't count successful logins
580  message: {
581    error: 'Too many login attempts, please try again later',
582    retryAfter: 900
583  }
584});
585 
586// Apply rate limiters
587app.use('/api/', apiLimiter);
588app.use('/api/auth/login', authLimiter);
589app.use('/api/auth/register', authLimiter);
590 
591// Custom rate limiter for expensive operations
592const expensiveLimiter = rateLimit({
593  windowMs: 60 * 60 * 1000, // 1 hour
594  max: 10, // 10 requests per hour
595  message: {
596    error: 'Rate limit exceeded for this operation'
597  }
598});
599 
600app.post('/api/reports/generate', 
601  authenticateToken,
602  expensiveLimiter,
603  async (req, res) => {
604    // Expensive operation
605  }
606);
607\`\`\`
608 
609### Advanced: Per-User Rate Limiting
610 
611\`\`\`javascript
612// Different limits based on user tier
613function createTieredRateLimiter() {
614  const limits = {
615    free: { windowMs: 60 * 60 * 1000, max: 100 },
616    pro: { windowMs: 60 * 60 * 1000, max: 1000 },
617    enterprise: { windowMs: 60 * 60 * 1000, max: 10000 }
618  };
619  
620  return async (req, res, next) => {
621    const user = req.user;
622    const tier = user?.tier || 'free';
623    const limit = limits[tier];
624    
625    const key = \`rl:user:\${user.userId}\`;
626    const current = await redis.incr(key);
627    
628    if (current === 1) {
629      await redis.expire(key, limit.windowMs / 1000);
630    }
631    
632    if (current > limit.max) {
633      return res.status(429).json({
634        error: 'Rate limit exceeded',
635        limit: limit.max,
636        remaining: 0,
637        reset: await redis.ttl(key)
638      });
639    }
640    
641    // Set rate limit headers
642    res.set({
643      'X-RateLimit-Limit': limit.max,
644      'X-RateLimit-Remaining': limit.max - current,
645      'X-RateLimit-Reset': await redis.ttl(key)
646    });
647    
648    next();
649  };
650}
651 
652app.use('/api/', authenticateToken, createTieredRateLimiter());
653\`\`\`
654 
655### DDoS Protection with Helmet
656 
657\`\`\`javascript
658const helmet = require('helmet');
659 
660app.use(helmet({
661  // Content Security Policy
662  contentSecurityPolicy: {
663    directives: {
664      defaultSrc: ["'self'"],
665      styleSrc: ["'self'", "'unsafe-inline'"],
666      scriptSrc: ["'self'"],
667      imgSrc: ["'self'", 'data:', 'https:']
668    }
669  },
670  // Prevent clickjacking
671  frameguard: { action: 'deny' },
672  // Hide X-Powered-By header
673  hidePoweredBy: true,
674  // Prevent MIME type sniffing
675  noSniff: true,
676  // Enable HSTS
677  hsts: {
678    maxAge: 31536000,
679    includeSubDomains: true,
680    preload: true
681  }
682}));
683\`\`\`
684 
685### Rate Limit Response Headers
686 
687\`\`\`
688X-RateLimit-Limit: 100
689X-RateLimit-Remaining: 87
690X-RateLimit-Reset: 1640000000
691Retry-After: 900
692\`\`\`
693```
694 
695## Best Practices
696 
697### ✅ Do This
698 
699- **Use HTTPS Everywhere** - Never send sensitive data over HTTP
700- **Implement Authentication** - Require authentication for protected endpoints
701- **Validate All Inputs** - Never trust user input
702- **Use Parameterized Queries** - Prevent SQL injection
703- **Implement Rate Limiting** - Protect against brute force and DDoS
704- **Hash Passwords** - Use bcrypt with salt rounds >= 10
705- **Use Short-Lived Tokens** - JWT access tokens should expire quickly
706- **Implement CORS Properly** - Only allow trusted origins
707- **Log Security Events** - Monitor for suspicious activity
708- **Keep Dependencies Updated** - Regularly update packages
709- **Use Security Headers** - Implement Helmet.js
710- **Sanitize Error Messages** - Don't leak sensitive information
711 
712### ❌ Don't Do This
713 
714- **Don't Store Passwords in Plain Text** - Always hash passwords
715- **Don't Use Weak Secrets** - Use strong, random JWT secrets
716- **Don't Trust User Input** - Always validate and sanitize
717- **Don't Expose Stack Traces** - Hide error details in production
718- **Don't Use String Concatenation for SQL** - Use parameterized queries
719- **Don't Store Sensitive Data in JWT** - JWTs are not encrypted
720- **Don't Ignore Security Updates** - Update dependencies regularly
721- **Don't Use Default Credentials** - Change all default passwords
722- **Don't Disable CORS Completely** - Configure it properly instead
723- **Don't Log Sensitive Data** - Sanitize logs
724 
725## Common Pitfalls
726 
727### Problem: JWT Secret Exposed in Code
728**Symptoms:** JWT secret hardcoded or committed to Git
729**Solution:**
730\`\`\`javascript
731// ❌ Bad
732const JWT_SECRET = 'my-secret-key';
733 
734// ✅ Good
735const JWT_SECRET = process.env.JWT_SECRET;
736if (!JWT_SECRET) {
737  throw new Error('JWT_SECRET environment variable is required');
738}
739 
740// Generate strong secret
741// node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
742\`\`\`
743 
744### Problem: Weak Password Requirements
745**Symptoms:** Users can set weak passwords like "password123"
746**Solution:**
747\`\`\`javascript
748const passwordSchema = z.string()
749  .min(12, 'Password must be at least 12 characters')
750  .regex(/[A-Z]/, 'Must contain uppercase letter')
751  .regex(/[a-z]/, 'Must contain lowercase letter')
752  .regex(/[0-9]/, 'Must contain number')
753  .regex(/[^A-Za-z0-9]/, 'Must contain special character');
754 
755// Or use a password strength library
756const zxcvbn = require('zxcvbn');
757const result = zxcvbn(password);
758if (result.score < 3) {
759  return res.status(400).json({
760    error: 'Password too weak',
761    suggestions: result.feedback.suggestions
762  });
763}
764\`\`\`
765 
766### Problem: Missing Authorization Checks
767**Symptoms:** Users can access resources they shouldn't
768**Solution:**
769\`\`\`javascript
770// ❌ Bad: Only checks authentication
771app.delete('/api/posts/:id', authenticateToken, async (req, res) => {
772  await prisma.post.delete({ where: { id: req.params.id } });
773  res.json({ success: true });
774});
775 
776// ✅ Good: Checks both authentication and authorization
777app.delete('/api/posts/:id', authenticateToken, async (req, res) => {
778  const post = await prisma.post.findUnique({
779    where: { id: req.params.id }
780  });
781  
782  if (!post) {
783    return res.status(404).json({ error: 'Post not found' });
784  }
785  
786  // Check if user owns the post or is admin
787  if (post.userId !== req.user.userId && req.user.role !== 'admin') {
788    return res.status(403).json({ 
789      error: 'Not authorized to delete this post' 
790    });
791  }
792  
793  await prisma.post.delete({ where: { id: req.params.id } });
794  res.json({ success: true });
795});
796\`\`\`
797 
798### Problem: Verbose Error Messages
799**Symptoms:** Error messages reveal system details
800**Solution:**
801\`\`\`javascript
802// ❌ Bad: Exposes database details
803app.post('/api/users', async (req, res) => {
804  try {
805    const user = await prisma.user.create({ data: req.body });
806    res.json(user);
807  } catch (error) {
808    res.status(500).json({ error: error.message });
809    // Error: "Unique constraint failed on the fields: (`email`)"
810  }
811});
812 
813// ✅ Good: Generic error message
814app.post('/api/users', async (req, res) => {
815  try {
816    const user = await prisma.user.create({ data: req.body });
817    res.json(user);
818  } catch (error) {
819    console.error('User creation error:', error); // Log full error
820    
821    if (error.code === 'P2002') {
822      return res.status(400).json({ 
823        error: 'Email already exists' 
824      });
825    }
826    
827    res.status(500).json({ 
828      error: 'An error occurred while creating user' 
829    });
830  }
831});
832\`\`\`
833 
834## Security Checklist
835 
836### Authentication & Authorization
837- [ ] Implement strong authentication (JWT, OAuth 2.0)
838- [ ] Use HTTPS for all endpoints
839- [ ] Hash passwords with bcrypt (salt rounds >= 10)
840- [ ] Implement token expiration
841- [ ] Add refresh token mechanism
842- [ ] Verify user authorization for each request
843- [ ] Implement role-based access control (RBAC)
844 
845### Input Validation
846- [ ] Validate all user inputs
847- [ ] Use parameterized queries or ORM
848- [ ] Sanitize HTML content
849- [ ] Validate file uploads
850- [ ] Implement request schema validation
851- [ ] Use allowlists, not blocklists
852 
853### Rate Limiting & DDoS Protection
854- [ ] Implement rate limiting per user/IP
855- [ ] Add stricter limits for auth endpoints
856- [ ] Use Redis for distributed rate limiting
857- [ ] Return proper rate limit headers
858- [ ] Implement request throttling
859 
860### Data Protection
861- [ ] Use HTTPS/TLS for all traffic
862- [ ] Encrypt sensitive data at rest
863- [ ] Don't store sensitive data in JWT
864- [ ] Sanitize error messages
865- [ ] Implement proper CORS configuration
866- [ ] Use security headers (Helmet.js)
867 
868### Monitoring & Logging
869- [ ] Log security events
870- [ ] Monitor for suspicious activity
871- [ ] Set up alerts for failed auth attempts
872- [ ] Track API usage patterns
873- [ ] Don't log sensitive data
874 
875## OWASP API Security Top 10
876 
8771. **Broken Object Level Authorization** - Always verify user can access resource
8782. **Broken Authentication** - Implement strong authentication mechanisms
8793. **Broken Object Property Level Authorization** - Validate which properties user can access
8804. **Unrestricted Resource Consumption** - Implement rate limiting and quotas
8815. **Broken Function Level Authorization** - Verify user role for each function
8826. **Unrestricted Access to Sensitive Business Flows** - Protect critical workflows
8837. **Server Side Request Forgery (SSRF)** - Validate and sanitize URLs
8848. **Security Misconfiguration** - Use security best practices and headers
8859. **Improper Inventory Management** - Document and secure all API endpoints
88610. **Unsafe Consumption of APIs** - Validate data from third-party APIs
887 
888## Related Skills
889 
890- `@ethical-hacking-methodology` - Security testing perspective
891- `@sql-injection-testing` - Testing for SQL injection
892- `@xss-html-injection` - Testing for XSS vulnerabilities
893- `@broken-authentication` - Authentication vulnerabilities
894- `@backend-dev-guidelines` - Backend development standards
895- `@systematic-debugging` - Debug security issues
896 
897## Additional Resources
898 
899- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/)
900- [JWT Best Practices](https://tools.ietf.org/html/rfc8725)
901- [Express Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html)
902- [Node.js Security Checklist](https://blog.risingstack.com/node-js-security-checklist/)
903- [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist)
904 
905---
906 
907**Pro Tip:** Security is not a one-time task - regularly audit your APIs, keep dependencies updated, and stay informed about new vulnerabilities!
908