Covers five core security areas: JWT/OAuth authentication, role-based access control, input validation with parameterized queries, rate limiting with Redis, and DDoS protection via security headers
Includes practical code examples for token generation, refresh flows, SQL injection prevention, XSS sanitization, and tiered rate limiting by user tier
Confirm successful installation by checking the skill directory location:
.cursor/skills/api-security-best-practices
Restart Cursor to activate api-security-best-practices. Access via /api-security-best-practices in your agent's command palette.
โ
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Guide developers in building secure APIs by implementing authentication, authorization, input validation, rate limiting, and protection against common vulnerabilities. This skill covers security patterns for REST, GraphQL, and WebSocket APIs.
When to Use This Skill
Use when designing new API endpoints
Use when securing existing APIs
Use when implementing authentication and authorization
Use when protecting against API attacks (injection, DDoS, etc.)
Use when conducting API security reviews
Use when preparing for security audits
Use when implementing rate limiting and throttling
Use when handling sensitive data in APIs
How It Works
Step 1: Authentication & Authorization
I'll help you implement secure authentication:
Choose authentication method (JWT, OAuth 2.0, API keys)
Implement token-based authentication
Set up role-based access control (RBAC)
Secure session management
Implement multi-factor authentication (MFA)
Step 2: Input Validation & Sanitization
Protect against injection attacks:
Validate all input data
Sanitize user inputs
Use parameterized queries
Implement request schema validation
Prevent SQL injection, XSS, and command injection
Step 3: Rate Limiting & Throttling
Prevent abuse and DDoS attacks:
Implement rate limiting per user/IP
Set up API throttling
Configure request quotas
Handle rate limit errors gracefully
Monitor for suspicious activity
Step 4: Data Protection
Secure sensitive data:
Encrypt data in transit (HTTPS/TLS)
Encrypt sensitive data at rest
Implement proper error handling (no data leaks)
Sanitize error messages
Use secure headers
Step 5: API Security Testing
Verify security implementation:
Test authentication and authorization
Perform penetration testing
Check for common vulnerabilities (OWASP API Top 10)
Example 2: Input Validation and SQL Injection Prevention
## Preventing SQL Injection and Input Validation### The Problem**โ Vulnerable Code:**\`\`\`javascript
// NEVER DO THIS - SQL Injection vulnerability
app.get('/api/users/:id', async (req, res) => {
const userId = req.params.id;
// Dangerous: User input directly in query
const query = \`SELECT * FROM users WHERE id = '\${userId}'\`;
const user = await db.query(query);
res.json(user);
});
// Attack example:
// GET /api/users/1' OR '1'='1
// Returns all users!
\`\`\`
### The Solution#### 1. Use Parameterized Queries\`\`\`javascript
// โ Safe: Parameterized query
app.get('/api/users/:id', async (req, res) => {
const userId = req.params.id;
// Validate input first
if (!userId || !/^\d+$/.test(userId)) {
return res.status(400).json({
error: 'Invalid user ID'
});
}
// Use parameterized query
const user = await db.query(
'SELECT id, email, name FROM users WHERE id = $1',
[userId]
);
if (!user) {
return res.status(404).json({
error: 'User not found'
});
}
res.json(user);
});
\`\`\`
#### 2. Use ORM with Proper Escaping
Implementation Guide
Prerequisites
โบClaude Desktop or compatible AI client with skill support
โบClear understanding of task or problem to solve
โบWillingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Steps
1Install skill using provided installation command
2Test with simple use case relevant to your work
3Evaluate output quality and relevance
4Iterate on prompts to improve results
5Integrate into regular workflow if valuable
Common Pitfalls
โ Expecting perfect results without iteration
โ Not providing enough context in prompts
โ Using skill for tasks outside its intended scope
โ Accepting outputs without review and validation
Best Practices
โ Do
+Start with clear, specific prompts
+Provide relevant context and constraints
+Review and refine all outputs before using
+Iterate to improve output quality
+Document successful prompt patterns
โ Don't
โDon't use without understanding skill limitations
โDon't skip validation of outputs
โDon't share sensitive information in prompts
โDon't expect skill to replace human judgment
๐ก Pro Tips
โ Be specific about desired format and style
โ Ask for multiple options to choose from
โ Request explanations to understand reasoning
โ Combine AI efficiency with human expertise
When to Use This
โ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
โ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path
1Familiarize yourself with skill capabilities and limitations
2Start with low-risk, non-critical tasks
3Progress to more complex and valuable use cases
4Build expertise through regular use and experimentation
