api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
63
Quality
46%
Does it follow best practices?
Impact
97%
1.42xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-api-security-best-practices/SKILL.mdEvaluation results
100%
32%Patient Portal Authentication Service
JWT authentication implementation
JWT secret from env
50%
100%
Access token 1h expiry
0%
100%
Refresh token in database
100%
100%
Refresh token 7-day expiry
100%
100%
Issuer/audience validation
0%
100%
Generic login error message
100%
100%
No sensitive JWT payload
100%
100%
Bcrypt salt rounds >= 10
100%
100%
passwordHash excluded from responses
100%
100%
Refresh token DB verification
100%
100%
Env var guard
0%
100%
Without context: $0.6928 · 7m 10s · 32 turns · 39 in / 10,825 out tokens
With context: $0.8870 · 6m 29s · 33 turns · 70 in / 10,161 out tokens
92%
55%Securing a Community Forum API
Input validation and rate limiting
Zod for schema validation
0%
100%
Allowlist validation approach
100%
100%
DOMPurify for HTML sanitization
0%
100%
Explicit ALLOWED_TAGS
0%
100%
Explicit ALLOWED_ATTR
0%
100%
RedisStore for rate limiting
100%
100%
General API limit: 100/15min
0%
100%
Auth endpoint limit: 5/15min
12%
100%
skipSuccessfulRequests on auth
0%
100%
keyGenerator by userId or IP
25%
0%
Standard rate limit headers
100%
100%
Sanitized error responses
100%
100%
Without context: $0.6364 · 6m 21s · 31 turns · 38 in / 10,106 out tokens
With context: $0.8772 · 6m 30s · 33 turns · 298 in / 9,764 out tokens
100%
1%Hardening an E-Commerce API for Security Audit
Security headers and authorization checks
Helmet.js used
100%
100%
CSP defaultSrc 'self'
100%
100%
frameguard deny
100%
100%
hidePoweredBy enabled
83%
100%
noSniff enabled
100%
100%
HSTS maxAge 31536000
100%
100%
HSTS includeSubDomains and preload
100%
100%
CORS restricted to trusted origins
100%
100%
Ownership authorization check
100%
100%
403 on unauthorized resource
100%
100%
No stack traces in errors
100%
100%
Generic 500 error message
100%
100%
Without context: $0.5848 · 6m 18s · 30 turns · 33 in / 8,736 out tokens
With context: $0.8949 · 6m 47s · 36 turns · 40 in / 9,024 out tokens
- Repository
- boisenoise/skills-collections
- Commit
5c5ae21
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.