api-security_skill

This skill helps you implement robust API security by guiding authentication, authorization, rate limiting, and input validation across services.
  • Python

13

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill williamzujkowski/standards --skill api-security

  • REFERENCE.md23.2 KB
  • SKILL.md14.5 KB

Overview

This skill provides a focused, production-ready API security playbook based on the OWASP API Security Top 10. It bundles concise checklists, patterns, and code snippets to help teams protect APIs from common vulnerabilities like BOLA, SSRF, and broken authentication. Use it to harden designs, guide implementation, and standardize security reviews across projects.

How this skill works

The skill inspects API design and runtime controls across authentication, authorization, input validation, rate limiting, and configuration management. It supplies checklists and example patterns (JWT validation, rate limiting, schema validation, TLS requirements) you can adopt directly. It also recommends testing approaches, monitoring signals, and deployment controls to detect and prevent automated abuse or misconfiguration.

When to use it

  • When starting a new API project and you need a security baseline
  • During threat modeling and design reviews to validate controls
  • Before release to ensure authentication, authorization, and rate limits are in place
  • When hardening legacy or undocumented endpoints discovered in production
  • To build automated security tests and CI checks for API changes

Best practices

  • Enforce TLS 1.2+ and HSTS; prefer mTLS for service-to-service communication
  • Apply object- and field-level authorization checks for every data access path
  • Use short-lived JWTs with refresh rotation and validate exp/iss/aud/jti
  • Implement per-user and per-IP rate limits, plus adaptive throttling for abuse patterns
  • Validate all inputs with schema validators and never trust upstream API data

Example use cases

  • Implementing JWT-based auth with RS256 and refresh token rotation for microservices
  • Adding per-endpoint rate limiting and Redis-backed quotas for a public API
  • Auditing an existing API for BOLA and adding field-level access controls
  • Automating OWASP Top 10 security checks in CI using an API scanning script
  • Configuring secure CORS, versioning, and sunset headers for a public platform

FAQ

Enforce authorization checks that map the authenticated principal to the resource ID on every access path; never infer access from ID patterns or client-provided flags.

What rate limits should I start with?

Start with conservative per-user and per-IP limits (e.g., 100 req/min per user, lower for unauthenticated) and refine with monitoring and adaptive throttling for high-risk flows.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
api-security skill by williamzujkowski/standards | VeilStrat