api-security-best-practices

Guide developers in building secure APIs by implementing authentication, authorization, input validation, rate limiting, and protection against common vulnerabilities. This skill covers security patterns for REST, GraphQL, and WebSocket APIs. I'll help you implement secure authentication: Protect against injection attacks: Prevent abuse and DDoS attacks: Secure sensitive data: Verify security implementation: Symptoms: JWT secret hardcoded or committed to Git Solution: ```javascript // ❌ Bad const JWT_SECRET = 'my-secret-key'; // ✅ Good const JWT_SECRET = process.env.JWT_SECRET; if (!JWT_SECRET) { throw new Error('JWT_SECRET environment variable is required'); } // Generate strong secret // node -e "console.log(require('crypto').randomBytes(64).toString('hex'))" ``` Symptoms: Users can set weak passwords like "password123" Solution: ```javascript const passwordSchema = z.string() .min(12, 'Password must be at least 12 characters') .regex(/[A-Z]/, 'Must contain uppercase letter') .regex(/[a-z]/, 'Must contain lowercase letter') .regex(/[0-9]/, 'Must contain number') .regex(/[^A-Za-z0-9]/, 'Must contain special character'); // Or use a password strength library const zxcvbn = require('zxcvbn'); const result = zxcvbn(password); if (result.score { await prisma.post.delete({ where: { id: req.params.id } }); res.json({ success: true }); }); // ✅ Good: Checks both authentication and...