API Security Agent Skill
API security — strict CORS, rate limiting, payload limits, key rotation.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: API security — strict CORS, rate limiting, payload limits, key rotation.
homepage: https://yepapi.com/skills/api-security
metadata:
tags: [security, api, cors, rate-limiting]
---
# API Security
## Rules
- CORS: whitelist specific origins, never use \`*\` in production — list exact domains
- Rate limit per endpoint: auth endpoints (5/min), API reads (100/min), writes (20/min)
- Enforce request payload size limits: 1MB default body, 10MB for file uploads
- Validate \`Content-Type\` header matches actual payload — reject mismatches
- Disable \`X-Powered-By\` header — don't leak your framework
- API keys: support rotation (active + previous key valid during transition), hash stored keys
- Return \`429 Too Many Requests\` with \`Retry-After\` header when rate limited
\`\`\`ts
// Express CORS — strict origin whitelist
import cors from "cors";
app.use(cors({
origin: ["https://myapp.com", "https://app.myapp.com"],
methods: ["GET", "POST", "PUT", "DELETE"],
credentials: true,
}));
\`\`\`
\`\`\`ts
// Payload size limit
app.use(express.json({ limit: "1mb" }));
// Per-route rate limiting
import rateLimit from "express-rate-limit";
const loginLimiter = rateLimit({
windowMs: 60 * 1000,
max: 5,
standardHeaders: true,
message: { error: "Too many attempts, try again later" },
});
app.post("/api/login", loginLimiter, loginHandler);
\`\`\`
## Avoid
- \`Access-Control-Allow-Origin: *\` with credentials — browsers block it, devs then disable CORS entirely
- No rate limiting on public endpoints — bots drain your resources and scrape your data
- Trusting API keys sent in query strings — they leak in logs, browser history, and referrer headers
- Exposing internal error details in API responses — return error codes, log details server-sideInstall
Why Use the API Security Skill?
Without this skill, your AI guesses at api security patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the API Security skill installed. Your AI knows the context and writes code that fits.
"Add strict CORS configuration with a whitelist of allowed origins to my Express API"
"Implement per-endpoint rate limiting with different limits for auth vs data endpoints"
"Set up API key rotation with a transition period where both old and new keys work"
Works Great With
API Security skill — FAQ
It provides rules for strict CORS whitelisting, per-endpoint rate limiting, request payload size limits, and API key rotation. Your AI writes API code with production security defaults.
Run `npx skills add YepAPI/skills --skill api-security` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Using Access-Control-Allow-Origin: * with credentials is blocked by browsers. More importantly, wildcards allow any site to make authenticated requests to your API. Always whitelist specific, trusted origins.