hjemmesidekongen/api-security
plugins/smedjen/skills/api-security/SKILL.md
Rate limiting, input validation, CORS, security headers, API keys, and request sanitization.
development
Updated Apr 5, 2026
$ install --global
skillsauthnpx skillsauth add hjemmesidekongen/ai api-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 5:27 PM31.5s2 files scanned
SKILL.md
- name:
- api-security
- description:
- >
- user_invocable:
- false
- interactive:
- false
- model_tier:
- senior
- depends_on:
- []
- reads:
- []
- writes:
- []
- type:
- data_validation
- - name:
- security_headers_set
- verify:
- Responses include Helmet defaults: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
- fail_action:
- Add Helmet.js middleware or equivalent header configuration
- on_fail:
- API has unresolved security gaps — address before deploying to production
- on_pass:
- API security posture is sound
- origin:
- smedjen
- inspired_by:
- original
- ported_date:
- 2026-03-10
- iteration:
- 1
- changes:
- New discipline skill for smedjen
API Security
Defense-in-depth: rate limiting stops abuse, validation stops bad data, headers stop browser-based attacks, sanitization stops injection.
Rate Limiting
Token bucket — users accumulate tokens over time. Good for bursty traffic. Sliding window — rolling time window, Redis-backed with ZADD/ZCOUNT. More uniform enforcement.
Apply at multiple levels: per-IP (unauthenticated), per-user (authenticated), per-endpoint (login, OTP, password reset). Return 429 with Retry-After header.
Input Validation
Validate at the API boundary before touching business logic. zod (TypeScript): type-safe schemas, infers TS types, preferred. joi (JS): runtime-only, battle-tested. class-validator (NestJS): decorator-based DTOs with class-transformer.
Validate: shape, types, string formats, numeric ranges, enum membership, array length. Reject unknown fields. Return structured 400 with field-level error details.
CORS
Explicit allowlist only — never * with credentials. Match origin against the list; set Access-Control-Allow-Origin to the matched origin, not *. Set Access-Control-Max-Age (e.g., 86400) to reduce preflights. Separate dev/staging/production origins in config, not in code.
Security Headers — Helmet.js
helmet() sets 11 headers by default. Critical: Content-Security-Policy, Strict-Transport-Security (1yr + includeSubDomains), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer. CSP requires per-project tuning — start with default-src 'self'.
Sanitization
SQL injection — parameterized queries or ORM always. XSS — sanitize HTML with sanitize-html (server) or DOMPurify (client) when storing user HTML. Path traversal — normalize paths, never build file paths from raw user input. NoSQL injection — strip MongoDB operators from user input ($where, $gt).
Additional Controls
Body size limits (tune from Express's 100kb default). HTTPS enforced at the load balancer. IP allowlisting for admin/internal routes. Structured logging on all 4xx/5xx; alert on anomalous error rates.
Anti-Patterns
No rate limiting on auth endpoints, wildcard CORS with credentials, raw SQL concatenation, logging request bodies with credentials, HTTP in production, missing body size limits.
See references/process.md for Redis rate limiter, zod middleware, Helmet config, CORS setup, sanitization helpers, API key management, and NestJS guard patterns.
Related Skills
hjemmesidekongen/brand-strategy
development
VerifiedTrustedCommunity
Creates a brand from scratch through market research and interactive sparring. Runs competitive research via Perplexity, then guides the user through positioning, audience, voice, values, and content pillars. Produces the full brand guideline set at .ai/brand/{name}/. Use when building a new brand, defining brand strategy for a product, or when /våbenskjold:create is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-loader
testing
VerifiedTrustedCommunity
Loads brand guidelines from .ai/brand/{name}/ and makes them available to the current context. Progressive disclosure: L1 confirms brand exists, L2 loads summary, L3 loads specific files on demand. Use when a downstream skill or user needs brand context, or when /våbenskjold:apply is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-evolve
documentation
VerifiedTrustedCommunity
Guided reinvention of an existing brand guideline. Loads current brand from .ai/brand/{name}/, identifies what to keep vs change, and walks the user through targeted evolution. Preserves brand equity while updating positioning, voice, or values. Use when refreshing a brand or when /våbenskjold:evolve is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-audit
development
VerifiedTrustedCommunity
Codifies an existing brand from materials, samples, and references. Analyzes provided content to extract voice patterns, values, and positioning. Produces the same guideline format as brand-strategy. Use when a brand already exists but isn't documented, or when /våbenskjold:audit is invoked.
SKILL.mdUpdated Apr 5, 2026