name: api-security-check description: Checks API security hygiene before deployment allowed-tools: Read Bash

API Security Check

When checking API security:

1. Authentication (BLOCKER if missing):

   • Is there an auth mechanism? (JWT, OAuth, API keys, sessions)
   • Are protected routes actually protected?
   • Is there a middleware or decorator handling auth globally?

2. Input Validation (WARNING if missing):

   • Is user input validated/sanitized before use?
   • Are there protections against SQL injection or NoSQL injection?
   • Is request body size limited?

3. Rate Limiting (WARNING if missing):

   • Is there rate limiting on public endpoints?
   • Is there protection against brute force on auth endpoints?

4. CORS Configuration (WARNING if misconfigured):

   • Is CORS configured? If yes, is it wildcard (*) in production? (BLOCKER if so)
   • Are allowed origins explicitly whitelisted?

5. Sensitive Data Exposure (BLOCKER if found):

   • Do API responses expose passwords, tokens, or internal IDs unnecessarily?
   • Are stack traces or internal errors returned to the client?
   • Is there any debug mode or verbose logging enabled that would ship to prod?

6. HTTPS enforcement (WARNING if missing):

   • Is there any redirect from HTTP to HTTPS?
   • Are secure/httpOnly flags set on cookies?