Secure API Endpoints with AI Prompts

Audit all API endpoints in this codebase for security issues.

For each endpoint, check:

1. Authentication - Is it required? Is it properly validated?
2. Authorization - Does it verify the user can access this resource?
3. Input validation - Are all inputs validated and sanitized?
4. Rate limiting - Is there protection against abuse?
5. Error handling - Do errors leak sensitive information?
6. CORS - Is it configured properly?
7. Data exposure - Does it return more data than needed?

Create a report with:

• List of all endpoints and their security status
• Critical issues that need immediate fixing
• Recommended improvements
• Code examples for each fix

Prioritize by risk level (critical, high, medium, low).

Add authentication to my unprotected API endpoints.

Current setup: describe your auth system - JWT, session, API keys

I need:

1. Middleware to verify authentication on protected routes
2. Proper handling of missing/invalid tokens
3. Different protection levels (public, authenticated, admin)
4. Rate limiting per user/API key

Endpoints to protect: list endpoints or say "all except /health and /public/*"

Create:

• Authentication middleware
• Route protection wrapper/decorator
• Standard error responses (401, 403)
• Example usage for each protection level

Add comprehensive input validation to my API endpoints.

For each endpoint:

1. Define a schema for expected inputs (body, query, params)
2. Validate types, required fields, and formats
3. Sanitize strings to prevent injection attacks
4. Set reasonable limits (max length, array size)
5. Return clear validation error messages

Use: Zod / Yup / Joi / class-validator

Also:

• Create reusable validation schemas
• Add validation middleware
• Handle validation errors consistently
• Log validation failures for monitoring

Don't trust any input, even from authenticated users.

Fix error handling in my APIs to not leak sensitive information.

Current issue: Errors may expose stack traces, database queries, or internal paths.

Implement:

1. Global error handler that catches all errors
2. Different error responses for dev vs production
3. Sanitized error messages for clients
4. Proper logging of full errors server-side
5. Standard error format (code, message, details)

Error types to handle:

• Validation errors (400)
• Authentication errors (401)
• Authorization errors (403)
• Not found (404)
• Rate limit (429)
• Server errors (500)

Never expose: stack traces, SQL queries, file paths, internal IDs in production.

Add proper authorization checks to prevent users from accessing others' data.

Common issues to fix:

1. IDOR - User A can access User B's data by changing IDs
2. Missing ownership checks on update/delete
3. Horizontal privilege escalation
4. Vertical privilege escalation (user becoming admin)

For each data-modifying endpoint:

1. Verify the authenticated user owns the resource
2. Check role/permissions for sensitive operations
3. Validate all IDs in the request belong to the user
4. Don't rely on hidden fields for authorization

Create reusable authorization helpers:

• canAccess(user, resource)
• isOwner(user, resourceId)
• hasPermission(user, action, resource)