Api Security Best Practices

1---2name: api-security-best-practices3description: "Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities"4risk: unknown5source: community6date_added: "2026-02-27"7---8 9# API Security Best Practices10 11## Overview12 13Guide developers in building secure APIs by implementing authentication, authorization, input validation, rate limiting, and protection against common vulnerabilities. This skill covers security patterns for REST, GraphQL, and WebSocket APIs.14 15## When to Use This Skill16 17- Use when designing new API endpoints18- Use when securing existing APIs19- Use when implementing authentication and authorization20- Use when protecting against API attacks (injection, DDoS, etc.)21- Use when conducting API security reviews22- Use when preparing for security audits23- Use when implementing rate limiting and throttling24- Use when handling sensitive data in APIs25 26## How It Works27 28### Step 1: Authentication & Authorization29 30I'll help you implement secure authentication:31- Choose authentication method (JWT, OAuth 2.0, API keys)32- Implement token-based authentication33- Set up role-based access control (RBAC)34- Secure session management35- Implement multi-factor authentication (MFA)36 37### Step 2: Input Validation & Sanitization38 39Protect against injection attacks:40- Validate all input data41- Sanitize user inputs42- Use parameterized queries43- Implement request schema validation44- Prevent SQL injection, XSS, and command injection45 46### Step 3: Rate Limiting & Throttling47 48Prevent abuse and DDoS attacks:49- Implement rate limiting per user/IP50- Set up API throttling51- Configure request quotas52- Handle rate limit errors gracefully53- Monitor for suspicious activity54 55### Step 4: Data Protection56 57Secure sensitive data:58- Encrypt data in transit (HTTPS/TLS)59- Encrypt sensitive data at rest60- Implement proper error handling (no data leaks)61- Sanitize error messages62- Use secure headers63 64### Step 5: API Security Testing65 66Verify security implementation:67- Test authentication and authorization68- Perform penetration testing69- Check for common vulnerabilities (OWASP API Top 10)70- Validate input handling71- Test rate limiting72 73 74## Examples75 76### Example 1: Implementing JWT Authentication77 78```markdown79## Secure JWT Authentication Implementation80 81### Authentication Flow82 831. User logs in with credentials842. Server validates credentials853. Server generates JWT token864. Client stores token securely875. Client sends token with each request886. Server validates token89 90### Implementation91 92#### 1. Generate Secure JWT Tokens93 94\`\`\`javascript95// auth.js96const jwt = require('jsonwebtoken');97const bcrypt = require('bcrypt');98 99// Login endpoint100app.post('/api/auth/login', async (req, res) => {101  try {102    const { email, password } = req.body;103    104    // Validate input105    if (!email || !password) {106      return res.status(400).json({ 107        error: 'Email and password are required' 108      });109    }110    111    // Find user112    const user = await db.user.findUnique({ 113      where: { email } 114    });115    116    if (!user) {117      // Don't reveal if user exists118      return res.status(401).json({ 119        error: 'Invalid credentials' 120      });121    }122    123    // Verify password124    const validPassword = await bcrypt.compare(125      password, 126      user.passwordHash127    );128    129    if (!validPassword) {130      return res.status(401).json({ 131        error: 'Invalid credentials' 132      });133    }134    135    // Generate JWT token136    const token = jwt.sign(137      { 138        userId: user.id,139        email: user.email,140        role: user.role141      },142      process.env.JWT_SECRET,143      { 144        expiresIn: '1h',145        issuer: 'your-app',146        audience: 'your-app-users'147      }148    );149    150    // Generate refresh token151    const refreshToken = jwt.sign(152      { userId: user.id },153      process.env.JWT_REFRESH_SECRET,154      { expiresIn: '7d' }155    );156    157    // Store refresh token in database158    await db.refreshToken.create({159      data: {160        token: refreshToken,161        userId: user.id,162        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)163      }164    });165    166    res.json({167      token,168      refreshToken,169      expiresIn: 3600170    });171    172  } catch (error) {173    console.error('Login error:', error);174    res.status(500).json({ 175      error: 'An error occurred during login' 176    });177  }178});179\`\`\`180 181#### 2. Verify JWT Tokens (Middleware)182 183\`\`\`javascript184// middleware/auth.js185const jwt = require('jsonwebtoken');186 187function authenticateToken(req, res, next) {188  // Get token from header189  const authHeader = req.headers['authorization'];190  const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN191  192  if (!token) {193    return res.status(401).json({ 194      error: 'Access token required' 195    });196  }197  198  // Verify token199  jwt.verify(200    token, 201    process.env.JWT_SECRET,202    { 203      issuer: 'your-app',204      audience: 'your-app-users'205    },206    (err, user) => {207      if (err) {208        if (err.name === 'TokenExpiredError') {209          return res.status(401).json({ 210            error: 'Token expired' 211          });212        }213        return res.status(403).json({ 214          error: 'Invalid token' 215        });216      }217      218      // Attach user to request219      req.user = user;220      next();221    }222  );223}224 225module.exports = { authenticateToken };226\`\`\`227 228#### 3. Protect Routes229 230\`\`\`javascript231const { authenticateToken } = require('./middleware/auth');232 233// Protected route234app.get('/api/user/profile', authenticateToken, async (req, res) => {235  try {236    const user = await db.user.findUnique({237      where: { id: req.user.userId },238      select: {239        id: true,240        email: true,241        name: true,242        // Don't return passwordHash243      }244    });245    246    res.json(user);247  } catch (error) {248    res.status(500).json({ error: 'Server error' });249  }250});251\`\`\`252 253#### 4. Implement Token Refresh254 255\`\`\`javascript256app.post('/api/auth/refresh', async (req, res) => {257  const { refreshToken } = req.body;258  259  if (!refreshToken) {260    return res.status(401).json({ 261      error: 'Refresh token required' 262    });263  }264  265  try {266    // Verify refresh token267    const decoded = jwt.verify(268      refreshToken, 269      process.env.JWT_REFRESH_SECRET270    );271    272    // Check if refresh token exists in database273    const storedToken = await db.refreshToken.findFirst({274      where: {275        token: refreshToken,276        userId: decoded.userId,277        expiresAt: { gt: new Date() }278      }279    });280    281    if (!storedToken) {282      return res.status(403).json({ 283        error: 'Invalid refresh token' 284      });285    }286    287    // Generate new access token288    const user = await db.user.findUnique({289      where: { id: decoded.userId }290    });291    292    const newToken = jwt.sign(293      { 294        userId: user.id,295        email: user.email,296        role: user.role297      },298      process.env.JWT_SECRET,299      { expiresIn: '1h' }300    );301    302    res.json({303      token: newToken,304      expiresIn: 3600305    });306    307  } catch (error) {308    res.status(403).json({ 309      error: 'Invalid refresh token' 310    });311  }312});313\`\`\`314 315### Security Best Practices316 317- ✅ Use strong JWT secrets (256-bit minimum)318- ✅ Set short expiration times (1 hour for access tokens)319- ✅ Implement refresh tokens for long-lived sessions320- ✅ Store refresh tokens in database (can be revoked)321- ✅ Use HTTPS only322- ✅ Don't store sensitive data in JWT payload323- ✅ Validate token issuer and audience324- ✅ Implement token blacklisting for logout325```326 327 328### Example 2: Input Validation and SQL Injection Prevention329 330```markdown331## Preventing SQL Injection and Input Validation332 333### The Problem334 335**❌ Vulnerable Code:**336\`\`\`javascript337// NEVER DO THIS - SQL Injection vulnerability338app.get('/api/users/:id', async (req, res) => {339  const userId = req.params.id;340  341  // Dangerous: User input directly in query342  const query = \`SELECT * FROM users WHERE id = '\${userId}'\`;343  const user = await db.query(query);344  345  res.json(user);346});347 348// Attack example:349// GET /api/users/1' OR '1'='1350// Returns all users!351\`\`\`352 353### The Solution354 355#### 1. Use Parameterized Queries356 357\`\`\`javascript358// ✅ Safe: Parameterized query359app.get('/api/users/:id', async (req, res) => {360  const userId = req.params.id;361  362  // Validate input first363  if (!userId || !/^\d+$/.test(userId)) {364    return res.status(400).json({ 365      error: 'Invalid user ID' 366    });367  }368  369  // Use parameterized query370  const user = await db.query(371    'SELECT id, email, name FROM users WHERE id = $1',372    [userId]373  );374  375  if (!user) {376    return res.status(404).json({ 377      error: 'User not found' 378    });379  }380  381  res.json(user);382});383\`\`\`384 385#### 2. Use ORM with Proper Escaping386 387\`\`\`javascript388// ✅ Safe: Using Prisma ORM389app.get('/api/users/:id', async (req, res) => {390  const userId = parseInt(req.params.id);391  392  if (isNaN(userId)) {393    return res.status(400).json({ 394      error: 'Invalid user ID' 395    });396  }397  398  const user = await prisma.user.findUnique({399    where: { id: userId },400    select: {401      id: true,402      email: true,403      name: true,404      // Don't select sensitive fields405    }406  });407  408  if (!user) {409    return res.status(404).json({ 410      error: 'User not found' 411    });412  }413  414  res.json(user);415});416\`\`\`417 418#### 3. Implement Request Validation with Zod419 420\`\`\`javascript421const { z } = require('zod');422 423// Define validation schema424const createUserSchema = z.object({425  email: z.string().email('Invalid email format'),426  password: z.string()427    .min(8, 'Password must be at least 8 characters')428    .regex(/[A-Z]/, 'Password must contain uppercase letter')429    .regex(/[a-z]/, 'Password must contain lowercase letter')430    .regex(/[0-9]/, 'Password must contain number'),431  name: z.string()432    .min(2, 'Name must be at least 2 characters')433    .max(100, 'Name too long'),434  age: z.number()435    .int('Age must be an integer')436    .min(18, 'Must be 18 or older')437    .max(120, 'Invalid age')438    .optional()439});440 441// Validation middleware442function validateRequest(schema) {443  return (req, res, next) => {444    try {445      schema.parse(req.body);446      next();447    } catch (error) {448      res.status(400).json({449        error: 'Validation failed',450        details: error.errors451      });452    }453  };454}455 456// Use validation457app.post('/api/users', 458  validateRequest(createUserSchema),459  async (req, res) => {460    // Input is validated at this point461    const { email, password, name, age } = req.body;462    463    // Hash password464    const passwordHash = await bcrypt.hash(password, 10);465    466    // Create user467    const user = await prisma.user.create({468      data: {469        email,470        passwordHash,471        name,472        age473      }474    });475    476    // Don't return password hash477    const { passwordHash: _, ...userWithoutPassword } = user;478    res.status(201).json(userWithoutPassword);479  }480);481\`\`\`482 483#### 4. Sanitize Output to Prevent XSS484 485\`\`\`javascript486const DOMPurify = require('isomorphic-dompurify');487 488app.post('/api/comments', authenticateToken, async (req, res) => {489  const { content } = req.body;490  491  // Validate492  if (!content || content.length > 1000) {493    return res.status(400).json({ 494      error: 'Invalid comment content' 495    });496  }497  498  // Sanitize HTML to prevent XSS499  const sanitizedContent = DOMPurify.sanitize(content, {500    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a'],501    ALLOWED_ATTR: ['href']502  });503  504  const comment = await prisma.comment.create({505    data: {506      content: sanitizedContent,507      userId: req.user.userId508    }509  });510  511  res.status(201).json(comment);512});513\`\`\`514 515### Validation Checklist516 517- [ ] Validate all user inputs518- [ ] Use parameterized queries or ORM519- [ ] Validate data types (string, number, email, etc.)520- [ ] Validate data ranges (min/max length, value ranges)521- [ ] Sanitize HTML content522- [ ] Escape special characters523- [ ] Validate file uploads (type, size, content)524- [ ] Use allowlists, not blocklists525```526 527 528### Example 3: Rate Limiting and DDoS Protection529 530```markdown531## Implementing Rate Limiting532 533### Why Rate Limiting?534 535- Prevent brute force attacks536- Protect against DDoS537- Prevent API abuse538- Ensure fair usage539- Reduce server costs540 541### Implementation with Express Rate Limit542 543\`\`\`javascript544const rateLimit = require('express-rate-limit');545const RedisStore = require('rate-limit-redis');546const Redis = require('ioredis');547 548// Create Redis client549const redis = new Redis({550  host: process.env.REDIS_HOST,551  port: process.env.REDIS_PORT552});553 554// General API rate limit555const apiLimiter = rateLimit({556  store: new RedisStore({557    client: redis,558    prefix: 'rl:api:'559  }),560  windowMs: 15 * 60 * 1000, // 15 minutes561  max: 100, // 100 requests per window562  message: {563    error: 'Too many requests, please try again later',564    retryAfter: 900 // seconds565  },566  standardHeaders: true, // Return rate limit info in headers567  legacyHeaders: false,568  // Custom key generator (by user ID or IP)569  keyGenerator: (req) => {570    return req.user?.userId || req.ip;571  }572});573 574// Strict rate limit for authentication endpoints575const authLimiter = rateLimit({576  store: new RedisStore({577    client: redis,578    prefix: 'rl:auth:'579  }),580  windowMs: 15 * 60 * 1000, // 15 minutes581  max: 5, // Only 5 login attempts per 15 minutes582  skipSuccessfulRequests: true, // Don't count successful logins583  message: {584    error: 'Too many login attempts, please try again later',585    retryAfter: 900586  }587});588 589// Apply rate limiters590app.use('/api/', apiLimiter);591app.use('/api/auth/login', authLimiter);592app.use('/api/auth/register', authLimiter);593 594// Custom rate limiter for expensive operations595const expensiveLimiter = rateLimit({596  windowMs: 60 * 60 * 1000, // 1 hour597  max: 10, // 10 requests per hour598  message: {599    error: 'Rate limit exceeded for this operation'600  }601});602 603app.post('/api/reports/generate', 604  authenticateToken,605  expensiveLimiter,606  async (req, res) => {607    // Expensive operation608  }609);610\`\`\`611 612### Advanced: Per-User Rate Limiting613 614\`\`\`javascript615// Different limits based on user tier616function createTieredRateLimiter() {617  const limits = {618    free: { windowMs: 60 * 60 * 1000, max: 100 },619    pro: { windowMs: 60 * 60 * 1000, max: 1000 },620    enterprise: { windowMs: 60 * 60 * 1000, max: 10000 }621  };622  623  return async (req, res, next) => {624    const user = req.user;625    const tier = user?.tier || 'free';626    const limit = limits[tier];627    628    const key = \`rl:user:\${user.userId}\`;629    const current = await redis.incr(key);630    631    if (current === 1) {632      await redis.expire(key, limit.windowMs / 1000);633    }634    635    if (current > limit.max) {636      return res.status(429).json({637        error: 'Rate limit exceeded',638        limit: limit.max,639        remaining: 0,640        reset: await redis.ttl(key)641      });642    }643    644    // Set rate limit headers645    res.set({646      'X-RateLimit-Limit': limit.max,647      'X-RateLimit-Remaining': limit.max - current,648      'X-RateLimit-Reset': await redis.ttl(key)649    });650    651    next();652  };653}654 655app.use('/api/', authenticateToken, createTieredRateLimiter());656\`\`\`657 658### DDoS Protection with Helmet659 660\`\`\`javascript661const helmet = require('helmet');662 663app.use(helmet({664  // Content Security Policy665  contentSecurityPolicy: {666    directives: {667      defaultSrc: ["'self'"],668      styleSrc: ["'self'", "'unsafe-inline'"],669      scriptSrc: ["'self'"],670      imgSrc: ["'self'", 'data:', 'https:']671    }672  },673  // Prevent clickjacking674  frameguard: { action: 'deny' },675  // Hide X-Powered-By header676  hidePoweredBy: true,677  // Prevent MIME type sniffing678  noSniff: true,679  // Enable HSTS680  hsts: {681    maxAge: 31536000,682    includeSubDomains: true,683    preload: true684  }685}));686\`\`\`687 688### Rate Limit Response Headers689 690\`\`\`691X-RateLimit-Limit: 100692X-RateLimit-Remaining: 87693X-RateLimit-Reset: 1640000000694Retry-After: 900695\`\`\`696```697 698## Best Practices699 700### ✅ Do This701 702- **Use HTTPS Everywhere** - Never send sensitive data over HTTP703- **Implement Authentication** - Require authentication for protected endpoints704- **Validate All Inputs** - Never trust user input705- **Use Parameterized Queries** - Prevent SQL injection706- **Implement Rate Limiting** - Protect against brute force and DDoS707- **Hash Passwords** - Use bcrypt with salt rounds >= 10708- **Use Short-Lived Tokens** - JWT access tokens should expire quickly709- **Implement CORS Properly** - Only allow trusted origins710- **Log Security Events** - Monitor for suspicious activity711- **Keep Dependencies Updated** - Regularly update packages712- **Use Security Headers** - Implement Helmet.js713- **Sanitize Error Messages** - Don't leak sensitive information714 715### ❌ Don't Do This716 717- **Don't Store Passwords in Plain Text** - Always hash passwords718- **Don't Use Weak Secrets** - Use strong, random JWT secrets719- **Don't Trust User Input** - Always validate and sanitize720- **Don't Expose Stack Traces** - Hide error details in production721- **Don't Use String Concatenation for SQL** - Use parameterized queries722- **Don't Store Sensitive Data in JWT** - JWTs are not encrypted723- **Don't Ignore Security Updates** - Update dependencies regularly724- **Don't Use Default Credentials** - Change all default passwords725- **Don't Disable CORS Completely** - Configure it properly instead726- **Don't Log Sensitive Data** - Sanitize logs727 728## Common Pitfalls729 730### Problem: JWT Secret Exposed in Code731**Symptoms:** JWT secret hardcoded or committed to Git732**Solution:**733\`\`\`javascript734// ❌ Bad735const JWT_SECRET = 'my-secret-key';736 737// ✅ Good738const JWT_SECRET = process.env.JWT_SECRET;739if (!JWT_SECRET) {740  throw new Error('JWT_SECRET environment variable is required');741}742 743// Generate strong secret744// node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"745\`\`\`746 747### Problem: Weak Password Requirements748**Symptoms:** Users can set weak passwords like "password123"749**Solution:**750\`\`\`javascript751const passwordSchema = z.string()752  .min(12, 'Password must be at least 12 characters')753  .regex(/[A-Z]/, 'Must contain uppercase letter')754  .regex(/[a-z]/, 'Must contain lowercase letter')755  .regex(/[0-9]/, 'Must contain number')756  .regex(/[^A-Za-z0-9]/, 'Must contain special character');757 758// Or use a password strength library759const zxcvbn = require('zxcvbn');760const result = zxcvbn(password);761if (result.score < 3) {762  return res.status(400).json({763    error: 'Password too weak',764    suggestions: result.feedback.suggestions765  });766}767\`\`\`768 769### Problem: Missing Authorization Checks770**Symptoms:** Users can access resources they shouldn't771**Solution:**772\`\`\`javascript773// ❌ Bad: Only checks authentication774app.delete('/api/posts/:id', authenticateToken, async (req, res) => {775  await prisma.post.delete({ where: { id: req.params.id } });776  res.json({ success: true });777});778 779// ✅ Good: Checks both authentication and authorization780app.delete('/api/posts/:id', authenticateToken, async (req, res) => {781  const post = await prisma.post.findUnique({782    where: { id: req.params.id }783  });784  785  if (!post) {786    return res.status(404).json({ error: 'Post not found' });787  }788  789  // Check if user owns the post or is admin790  if (post.userId !== req.user.userId && req.user.role !== 'admin') {791    return res.status(403).json({ 792      error: 'Not authorized to delete this post' 793    });794  }795  796  await prisma.post.delete({ where: { id: req.params.id } });797  res.json({ success: true });798});799\`\`\`800 801### Problem: Verbose Error Messages802**Symptoms:** Error messages reveal system details803**Solution:**804\`\`\`javascript805// ❌ Bad: Exposes database details806app.post('/api/users', async (req, res) => {807  try {808    const user = await prisma.user.create({ data: req.body });809    res.json(user);810  } catch (error) {811    res.status(500).json({ error: error.message });812    // Error: "Unique constraint failed on the fields: (`email`)"813  }814});815 816// ✅ Good: Generic error message817app.post('/api/users', async (req, res) => {818  try {819    const user = await prisma.user.create({ data: req.body });820    res.json(user);821  } catch (error) {822    console.error('User creation error:', error); // Log full error823    824    if (error.code === 'P2002') {825      return res.status(400).json({ 826        error: 'Email already exists' 827      });828    }829    830    res.status(500).json({ 831      error: 'An error occurred while creating user' 832    });833  }834});835\`\`\`836 837## Security Checklist838 839### Authentication & Authorization840- [ ] Implement strong authentication (JWT, OAuth 2.0)841- [ ] Use HTTPS for all endpoints842- [ ] Hash passwords with bcrypt (salt rounds >= 10)843- [ ] Implement token expiration844- [ ] Add refresh token mechanism845- [ ] Verify user authorization for each request846- [ ] Implement role-based access control (RBAC)847 848### Input Validation849- [ ] Validate all user inputs850- [ ] Use parameterized queries or ORM851- [ ] Sanitize HTML content852- [ ] Validate file uploads853- [ ] Implement request schema validation854- [ ] Use allowlists, not blocklists855 856### Rate Limiting & DDoS Protection857- [ ] Implement rate limiting per user/IP858- [ ] Add stricter limits for auth endpoints859- [ ] Use Redis for distributed rate limiting860- [ ] Return proper rate limit headers861- [ ] Implement request throttling862 863### Data Protection864- [ ] Use HTTPS/TLS for all traffic865- [ ] Encrypt sensitive data at rest866- [ ] Don't store sensitive data in JWT867- [ ] Sanitize error messages868- [ ] Implement proper CORS configuration869- [ ] Use security headers (Helmet.js)870 871### Monitoring & Logging872- [ ] Log security events873- [ ] Monitor for suspicious activity874- [ ] Set up alerts for failed auth attempts875- [ ] Track API usage patterns876- [ ] Don't log sensitive data877 878## OWASP API Security Top 10879 8801. **Broken Object Level Authorization** - Always verify user can access resource8812. **Broken Authentication** - Implement strong authentication mechanisms8823. **Broken Object Property Level Authorization** - Validate which properties user can access8834. **Unrestricted Resource Consumption** - Implement rate limiting and quotas8845. **Broken Function Level Authorization** - Verify user role for each function8856. **Unrestricted Access to Sensitive Business Flows** - Protect critical workflows8867. **Server Side Request Forgery (SSRF)** - Validate and sanitize URLs8878. **Security Misconfiguration** - Use security best practices and headers8889. **Improper Inventory Management** - Document and secure all API endpoints88910. **Unsafe Consumption of APIs** - Validate data from third-party APIs890 891## Related Skills892 893- `@ethical-hacking-methodology` - Security testing perspective894- `@sql-injection-testing` - Testing for SQL injection895- `@xss-html-injection` - Testing for XSS vulnerabilities896- `@broken-authentication` - Authentication vulnerabilities897- `@backend-dev-guidelines` - Backend development standards898- `@systematic-debugging` - Debug security issues899 900## Additional Resources901 902- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/)903- [JWT Best Practices](https://tools.ietf.org/html/rfc8725)904- [Express Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html)905- [Node.js Security Checklist](https://blog.risingstack.com/node-js-security-checklist/)906- [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist)907 908---909 910**Pro Tip:** Security is not a one-time task - regularly audit your APIs, keep dependencies updated, and stay informed about new vulnerabilities!911 912## Limitations913- Use this skill only when the task clearly matches the scope described above.914- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.915- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.