From backend-developer
Audits APIs for OWASP Top 10 vulnerabilities including broken authorization, authentication flaws, rate limiting gaps, and mass assignment. Provides JavaScript/Express.js fix examples.
How this skill is triggered — by the user, by Claude, or both
Slash command
/backend-developer:api-security-checkerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Audit API security and identify vulnerabilities based on OWASP Top 10.
Audit API security and identify vulnerabilities based on OWASP Top 10.
Check authentication, validate inputs, prevent SQL injection, implement rate limiting, use HTTPS.
1. Broken Object Level Authorization:
// Bad: No authorization check
app.get('/api/users/:id', (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
// Good: Check ownership
app.get('/api/users/:id', auth, async (req, res) => {
if (req.user.id !== req.params.id && !req.user.isAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
const user = await User.findById(req.params.id);
res.json(user);
});
2. Broken Authentication:
// Bad: Weak password requirements
const isValidPassword = (password) => password.length >= 6;
// Good: Strong requirements
const isValidPassword = (password) => {
return password.length >= 12 &&
/[A-Z]/.test(password) &&
/[a-z]/.test(password) &&
/[0-9]/.test(password) &&
/[^A-Za-z0-9]/.test(password);
};
// Implement rate limiting
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // 5 attempts
message: 'Too many login attempts'
});
app.post('/api/login', loginLimiter, loginHandler);
3. Excessive Data Exposure:
// Bad: Exposing sensitive data
app.get('/api/users/:id', async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user); // Includes password hash, email, etc.
});
// Good: Return only necessary fields
app.get('/api/users/:id', async (req, res) => {
const user = await User.findById(req.params.id)
.select('id username avatar');
res.json(user);
});
4. Lack of Resources & Rate Limiting:
const rateLimit = require('express-rate-limit');
const apiLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // 100 requests per window
standardHeaders: true,
legacyHeaders: false,
});
app.use('/api/', apiLimiter);
5. Broken Function Level Authorization:
// Bad: No role check
app.delete('/api/users/:id', auth, deleteUser);
// Good: Check admin role
app.delete('/api/users/:id', auth, requireAdmin, deleteUser);
function requireAdmin(req, res, next) {
if (!req.user.isAdmin) {
return res.status(403).json({ error: 'Admin access required' });
}
next();
}
6. Mass Assignment:
// Bad: Accepting all fields
app.put('/api/users/:id', async (req, res) => {
await User.update(req.params.id, req.body); // Can set isAdmin!
});
// Good: Whitelist fields
app.put('/api/users/:id', async (req, res) => {
const { name, email, avatar } = req.body;
await User.update(req.params.id, { name, email, avatar });
});
7. Security Misconfiguration:
// Set security headers
const helmet = require('helmet');
app.use(helmet());
// Disable X-Powered-By
app.disable('x-powered-by');
// CORS configuration
const cors = require('cors');
app.use(cors({
origin: process.env.ALLOWED_ORIGINS.split(','),
credentials: true
}));
8. Injection:
// Bad: SQL injection vulnerable
const query = `SELECT * FROM users WHERE email = '${email}'`;
// Good: Parameterized query
const query = 'SELECT * FROM users WHERE email = $1';
const result = await db.query(query, [email]);
// Input validation
const { body, validationResult } = require('express-validator');
app.post('/api/users',
body('email').isEmail().normalizeEmail(),
body('name').trim().escape(),
async (req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// Process request
}
);
9. Improper Assets Management:
// Document API versions
// Deprecate old versions
// Remove unused endpoints
// Version API
app.use('/api/v1', v1Routes);
app.use('/api/v2', v2Routes);
// Deprecation header
app.use('/api/v1', (req, res, next) => {
res.set('Deprecation', 'true');
res.set('Sunset', 'Sat, 31 Dec 2024 23:59:59 GMT');
next();
});
10. Insufficient Logging & Monitoring:
const winston = require('winston');
const logger = winston.createLogger({
level: 'info',
format: winston.format.json(),
transports: [
new winston.transports.File({ filename: 'error.log', level: 'error' }),
new winston.transports.File({ filename: 'combined.log' })
]
});
// Log security events
app.post('/api/login', async (req, res) => {
try {
const user = await authenticate(req.body);
logger.info('Login successful', { userId: user.id, ip: req.ip });
res.json({ token: generateToken(user) });
} catch (error) {
logger.warn('Login failed', { email: req.body.email, ip: req.ip });
res.status(401).json({ error: 'Invalid credentials' });
}
});
JWT best practices:
const jwt = require('jsonwebtoken');
// Generate token
const generateToken = (user) => {
return jwt.sign(
{ id: user.id, email: user.email },
process.env.JWT_SECRET,
{ expiresIn: '15m' } // Short expiry
);
};
// Generate refresh token
const generateRefreshToken = (user) => {
return jwt.sign(
{ id: user.id },
process.env.REFRESH_SECRET,
{ expiresIn: '7d' }
);
};
// Verify token
const verifyToken = (req, res, next) => {
const token = req.headers.authorization?.split(' ')[1];
if (!token) {
return res.status(401).json({ error: 'No token provided' });
}
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
req.user = decoded;
next();
} catch (error) {
return res.status(401).json({ error: 'Invalid token' });
}
};
Password hashing:
const bcrypt = require('bcrypt');
// Hash password
const hashPassword = async (password) => {
const salt = await bcrypt.genSalt(12);
return bcrypt.hash(password, salt);
};
// Verify password
const verifyPassword = async (password, hash) => {
return bcrypt.compare(password, hash);
};
Sanitize inputs:
const validator = require('validator');
// Email validation
if (!validator.isEmail(email)) {
return res.status(400).json({ error: 'Invalid email' });
}
// URL validation
if (!validator.isURL(url)) {
return res.status(400).json({ error: 'Invalid URL' });
}
// Escape HTML
const sanitized = validator.escape(userInput);
Schema validation:
const Joi = require('joi');
const userSchema = Joi.object({
email: Joi.string().email().required(),
password: Joi.string().min(12).required(),
name: Joi.string().min(2).max(50).required()
});
app.post('/api/users', async (req, res) => {
const { error, value } = userSchema.validate(req.body);
if (error) {
return res.status(400).json({ error: error.details[0].message });
}
// Process validated data
});
Role-Based Access Control (RBAC):
const roles = {
user: ['read:own'],
admin: ['read:any', 'write:any', 'delete:any']
};
const checkPermission = (permission) => {
return (req, res, next) => {
const userPermissions = roles[req.user.role] || [];
if (!userPermissions.includes(permission)) {
return res.status(403).json({ error: 'Insufficient permissions' });
}
next();
};
};
app.delete('/api/users/:id',
auth,
checkPermission('delete:any'),
deleteUser
);
Force HTTPS:
app.use((req, res, next) => {
if (req.header('x-forwarded-proto') !== 'https' && process.env.NODE_ENV === 'production') {
res.redirect(`https://${req.header('host')}${req.url}`);
} else {
next();
}
});
Security headers:
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
scriptSrc: ["'self'"],
imgSrc: ["'self'", 'data:', 'https:']
}
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
}
}));
const corsOptions = {
origin: (origin, callback) => {
const allowedOrigins = process.env.ALLOWED_ORIGINS.split(',');
if (!origin || allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
credentials: true,
optionsSuccessStatus: 200
};
app.use(cors(corsOptions));
const apiKeyAuth = (req, res, next) => {
const apiKey = req.header('X-API-Key');
if (!apiKey) {
return res.status(401).json({ error: 'API key required' });
}
// Verify API key (use hashed comparison)
const isValid = await verifyApiKey(apiKey);
if (!isValid) {
return res.status(401).json({ error: 'Invalid API key' });
}
next();
};
Authentication:
Authorization:
Input Validation:
Transport Security:
API Security:
Data Protection:
Defense in depth:
Secure defaults:
Monitoring:
npx claudepluginhub p/armanzeroeight-backend-developer-plugins-backend-developerAudits REST, GraphQL, and RPC APIs against OWASP API Security Top 10, focusing on BOLA, authentication, and access control.
Review API security including authentication, authorization, rate limiting, input validation, and data exposure.
Scans API code for OWASP Top 10 vulnerabilities: injection, BOLA, broken auth, mass assignment, excessive data exposure, missing rate limits, and weak validation.