| name | api-security |
| description | API security best practices and common vulnerability prevention. Enforces security checks for authentication, input validation, SQL injection, XSS, and OWASP Top 10 vulnerabilities. Use when building or modifying APIs. |
API Security Best Practices
Purpose
This guardrail skill enforces critical security practices when building APIs. It helps prevent common vulnerabilities including OWASP Top 10 threats, ensuring your API is secure by design.
When to Use This Skill
Auto-activates when:
- Working with API endpoints or routes
- Mentions of "api", "endpoint", "authentication", "authorization"
- Adding request handlers or middleware
- Working with user input or database queries
Authentication & Authorization
Always Require Authentication
Every API endpoint must have explicit authentication:
@app.post("/api/users")
@require_auth
async def create_user(request: Request):
user = get_current_user(request)
router.post('/api/users', authenticate, async (req, res) => {
const user = req.user;
});
Never skip authentication:
@app.post("/api/users")
async def create_user(request: Request):
pass
Implement Proper Authorization
Authentication (who you are) is not enough - check authorization (what you can do):
@app.delete("/api/users/{user_id}")
@require_auth
async def delete_user(user_id: str, request: Request):
current_user = get_current_user(request)
if not current_user.is_admin and current_user.id != user_id:
raise HTTPException(status_code=403, detail="Forbidden")
await delete_user_by_id(user_id)
Use Strong Token Standards
Use industry-standard tokens:
import jwt
from datetime import datetime, timedelta
def create_access_token(user_id: str) -> str:
payload = {
"sub": user_id,
"exp": datetime.utcnow() + timedelta(hours=1),
"iat": datetime.utcnow(),
}
return jwt.encode(payload, SECRET_KEY, algorithm="HS256")
def verify_token(token: str) -> dict:
try:
payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
return payload
except jwt.ExpiredSignatureError:
raise HTTPException(status_code=401, detail="Token expired")
except jwt.InvalidTokenError:
raise HTTPException(status_code=401, detail="Invalid token")
Input Validation
Validate All User Input
Never trust user input - always validate:
from pydantic import BaseModel, Field, validator
class CreateUserRequest(BaseModel):
"""Validated user creation request."""
username: str = Field(..., min_length=3, max_length=50, regex="^[a-zA-Z0-9_]+$")
email: str = Field(..., regex=r"^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$")
age: int = Field(..., ge=0, le=150)
@validator("username")
def username_no_admin(cls, v):
if "admin" in v.lower():
raise ValueError("Username cannot contain 'admin'")
return v
@app.post("/api/users")
async def create_user(data: CreateUserRequest):
pass
Sanitize Output
Prevent XSS by escaping output:
import html
@app.get("/api/users/{user_id}")
async def get_user(user_id: str):
user = await get_user_by_id(user_id)
return {
"username": html.escape(user.username),
"bio": html.escape(user.bio),
}
Rate Limiting
Prevent abuse with rate limiting:
from slowapi import Limiter
from slowapi.util import get_remote_address
limiter = Limiter(key_func=get_remote_address)
@app.post("/api/login")
@limiter.limit("5/minute")
async def login(request: Request, credentials: LoginRequest):
pass
SQL Injection Prevention
Always Use Parameterized Queries
NEVER concatenate user input into SQL:
user_id = request.query_params.get("id")
query = f"SELECT * FROM users WHERE id = {user_id}"
result = db.execute(query)
user_id = request.query_params.get("id")
query = "SELECT * FROM users WHERE id = ?"
result = db.execute(query, (user_id,))
user = await User.filter(id=user_id).first()
ORM Best Practices
Use ORMs correctly to prevent injection:
from sqlalchemy import select
async def get_users_by_role(role: str):
query = select(User).where(User.role == role)
result = await session.execute(query)
return result.scalars().all()
async def get_users_by_role_bad(role: str):
query = f"SELECT * FROM users WHERE role = '{role}'"
result = await session.execute(query)
return result.all()
Cross-Site Scripting (XSS) Prevention
Content Security Policy
Set CSP headers to prevent XSS:
@app.middleware("http")
async def add_security_headers(request: Request, call_next):
response = await call_next(request)
response.headers["Content-Security-Policy"] = (
"default-src 'self'; "
"script-src 'self' 'unsafe-inline'; "
"style-src 'self' 'unsafe-inline'; "
"img-src 'self' data: https:;"
)
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["X-Frame-Options"] = "DENY"
response.headers["X-XSS-Protection"] = "1; mode=block"
return response
Escape User Content
Always escape user-generated content:
import html
import json
safe_html = html.escape(user_input)
safe_js = json.dumps(user_input)
return templates.TemplateResponse("page.html", {"content": user_input})
HTTPS & Transport Security
Enforce HTTPS
Redirect HTTP to HTTPS:
@app.middleware("http")
async def https_redirect(request: Request, call_next):
if request.url.scheme != "https" and not request.url.hostname == "localhost":
url = request.url.replace(scheme="https")
return RedirectResponse(url, status_code=301)
return await call_next(request)
Set HSTS Headers
response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
CORS Configuration
Configure CORS Properly
Don't use wildcard origins in production:
from fastapi.middleware.cors import CORSMiddleware
app.add_middleware(
CORSMiddleware,
allow_origins=["*"],
allow_credentials=True,
)
app.add_middleware(
CORSMiddleware,
allow_origins=[
"https://myapp.com",
"https://www.myapp.com",
],
allow_credentials=True,
allow_methods=["GET", "POST", "PUT", "DELETE"],
allow_headers=["*"],
)
Sensitive Data Handling
Never Log Sensitive Data
import logging
logger = logging.getLogger(__name__)
logger.info(f"User {username} logging in with password {password}")
logger.info(f"User {username} attempting login")
def redact_sensitive(data: dict) -> dict:
sensitive_fields = {"password", "ssn", "credit_card", "token"}
return {
k: "***REDACTED***" if k in sensitive_fields else v
for k, v in data.items()
}
Hash Passwords Properly
from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
hashed = pwd_context.hash(plain_password)
is_valid = pwd_context.verify(plain_password, hashed)
Encrypt Sensitive Data
from cryptography.fernet import Fernet
key = Fernet.generate_key()
cipher = Fernet(key)
encrypted = cipher.encrypt(sensitive_data.encode())
decrypted = cipher.decrypt(encrypted).decode()
Error Handling
Don't Leak Information in Errors
@app.get("/api/users/{user_id}")
async def get_user(user_id: str):
try:
user = await db.query(f"SELECT * FROM users WHERE id = {user_id}")
return user
except Exception as e:
raise HTTPException(status_code=500, detail=str(e))
@app.get("/api/users/{user_id}")
async def get_user(user_id: str):
try:
user = await User.get(id=user_id)
if not user:
raise HTTPException(status_code=404, detail="User not found")
return user
except Exception as e:
logger.error(f"Error fetching user {user_id}: {e}")
raise HTTPException(status_code=500, detail="Internal server error")
API Security Checklist
Before deploying any API endpoint, verify:
Common Vulnerabilities (OWASP Top 10)
- Broken Access Control: Always check authorization, not just authentication
- Cryptographic Failures: Use strong algorithms, proper key management
- Injection: Parameterized queries, input validation, output encoding
- Insecure Design: Security by design, threat modeling
- Security Misconfiguration: Secure defaults, minimal permissions
- Vulnerable Components: Keep dependencies updated
- Authentication Failures: Strong passwords, MFA, secure sessions
- Data Integrity Failures: Sign/encrypt data, verify signatures
- Logging Failures: Log security events, monitor for anomalies
- SSRF: Validate/sanitize URLs, whitelist allowed destinations
Key Takeaways
- Require authentication and authorization for every endpoint
- Validate all input, sanitize all output
- Use parameterized queries to prevent SQL injection
- Set security headers (CSP, HSTS, X-Frame-Options)
- Configure CORS with specific origins, not wildcards
- Hash passwords with bcrypt, never store plaintext
- Enforce HTTPS in production
- Rate limit endpoints to prevent abuse
- Don't leak information in error messages
- Log security events without sensitive data