Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
Hardens REST APIs with Express middleware for authentication, rate limiting, input validation, security headers. Includes FastAPI/Nginx examples, checklists for production APIs, audits, vulnerabilities.
npx claudepluginhub secondsky/claude-skills --plugin api-security-hardeningHow this skill is triggered — by the user, by Claude, or both
Slash command
/api-security-hardening:api-security-hardeningThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Protect REST APIs against common vulnerabilities with multiple security layers.
Guides implementing authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities for REST, GraphQL, and WebSocket APIs.
Implements secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common vulnerabilities for REST, GraphQL, and WebSocket APIs. Use when designing, securing, or reviewing APIs.
Produces prioritized security hardening specs and implements them: auth patterns, headers, rate limiting, input validation, secrets management, dependency hygiene. Use for 'harden this', 'secure service', or pre-launch checks.
Share bugs, ideas, or general feedback.
Protect REST APIs against common vulnerabilities with multiple security layers.
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');
app.use(helmet());
app.use(mongoSanitize());
app.use(xss());
app.use('/api/', rateLimit({
windowMs: 15 * 60 * 1000,
max: 100
}));
app.use('/api/auth/', rateLimit({
windowMs: 15 * 60 * 1000,
max: 5
}));
const { body, validationResult } = require('express-validator');
app.post('/users',
body('email').isEmail().normalizeEmail(),
body('password').isLength({ min: 8 }).matches(/[A-Z]/).matches(/[0-9]/),
body('name').trim().escape().isLength({ max: 100 }),
(req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// Process request
}
);
app.use((req, res, next) => {
res.setHeader('Content-Security-Policy', "default-src 'self'");
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('X-XSS-Protection', '1; mode=block');
next();
});
See references/python-nginx.md for: