api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
58
37%
Does it follow best practices?
Impact
100%
1.17xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/antigravity-awesome-skills-claude/skills/api-security-best-practices/SKILL.mdEvaluation results
100%
13%User Authentication Service
JWT authentication with refresh tokens and secure secret handling
JWT secret from env var
100%
100%
Short access token expiry
100%
100%
Refresh token with longer expiry
100%
100%
Refresh token stored in DB
62%
100%
DB validation on refresh
75%
100%
Issuer/audience in JWT
0%
100%
No sensitive data in JWT payload
100%
100%
bcrypt password hashing
100%
100%
Sanitized auth error messages
100%
100%
No internal errors exposed
100%
100%
Token invalidation on logout
100%
100%
Input validation on login
100%
100%
100%
7%API Gateway Security Hardening
API rate limiting with Redis and Helmet.js security headers
Redis rate limit store
100%
100%
General API rate limit
100%
100%
Stricter auth rate limit
100%
100%
skipSuccessfulRequests on auth
100%
100%
Rate limit headers returned
100%
100%
Helmet.js applied
100%
100%
HSTS configured
100%
100%
hidePoweredBy enabled
100%
100%
Content Security Policy set
100%
100%
CORS restricts origins
100%
100%
Per-user key generator
0%
100%
No Redis credentials hardcoded
100%
100%
100%
24%Community Forum API — Authorization and Input Handling
Authorization checks, HTML sanitization, and password policy enforcement
Ownership check on delete
100%
100%
RBAC check on delete
100%
100%
403 for unauthorized delete
100%
100%
DOMPurify for HTML sanitization
0%
100%
HTML allowlist in sanitization
50%
100%
Password minimum length 12
0%
100%
Password complexity rules
100%
100%
bcrypt hashing with rounds >= 10
100%
100%
Generic DB error messages
75%
100%
No password returned in response
100%
100%
Input validation before DB
100%
100%
Auth middleware applied
100%
100%
- Repository
- sickn33/antigravity-awesome-skills
- Commit
b3869ba
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.