[{"data":1,"prerenderedAt":436},["ShallowReactive",2],{"blog-prompts/secure-api-endpoints":3},{"id":4,"title":5,"body":6,"category":415,"date":416,"dateModified":417,"description":418,"draft":419,"extension":420,"faq":421,"featured":419,"headerVariant":422,"image":421,"keywords":421,"meta":423,"navigation":424,"ogDescription":425,"ogTitle":421,"path":426,"readTime":421,"schemaOrg":427,"schemaType":428,"seo":429,"sitemap":430,"stem":431,"tags":432,"twitterCard":434,"__hash__":435},"blog/blog/prompts/secure-api-endpoints.md","Secure API Endpoints with AI Prompts",{"type":7,"value":8,"toc":405},"minimark",[9,16,21,24,80,84,87,140,144,147,199,203,206,260,270,274,290,344,353,375,393],[10,11,12],"tldr",{},[13,14,15],"p",{},"These prompts help you secure API endpoints with proper authentication, authorization, rate limiting, input validation, and error handling. They cover common security issues that leave APIs vulnerable to abuse and data breaches.",[17,18,20],"h2",{"id":19},"complete-api-security-audit","Complete API Security Audit",[13,22,23],{},"Use this prompt to run a full security audit across every API endpoint in your codebase. Your AI will check authentication, authorization, input validation, rate limiting, CORS, and error handling, then produce a prioritized report with code fixes.",[25,26,28,31,34,59,62,77],"prompt-box",{"title":27},"Full API Security Audit",[13,29,30],{},"Audit all API endpoints in this codebase for security issues.",[13,32,33],{},"For each endpoint, check:",[35,36,37,41,44,47,50,53,56],"ol",{},[38,39,40],"li",{},"Authentication - Is it required? Is it properly validated?",[38,42,43],{},"Authorization - Does it verify the user can access this resource?",[38,45,46],{},"Input validation - Are all inputs validated and sanitized?",[38,48,49],{},"Rate limiting - Is there protection against abuse?",[38,51,52],{},"Error handling - Do errors leak sensitive information?",[38,54,55],{},"CORS - Is it configured properly?",[38,57,58],{},"Data exposure - Does it return more data than needed?",[13,60,61],{},"Create a report with:",[63,64,65,68,71,74],"ul",{},[38,66,67],{},"List of all endpoints and their security status",[38,69,70],{},"Critical issues that need immediate fixing",[38,72,73],{},"Recommended improvements",[38,75,76],{},"Code examples for each fix",[13,78,79],{},"Prioritize by risk level (critical, high, medium, low).",[17,81,83],{"id":82},"add-authentication-to-endpoints","Add Authentication to Endpoints",[13,85,86],{},"Copy this prompt to generate authentication middleware for your unprotected API routes. Your AI will create route protection wrappers with public, authenticated, and admin levels, plus standard 401/403 error responses.",[25,88,90,93,100,103,117,123,126],{"title":89},"Add API Authentication",[13,91,92],{},"Add authentication to my unprotected API endpoints.",[13,94,95,96],{},"Current setup: ",[97,98,99],"span",{},"describe your auth system - JWT, session, API keys",[13,101,102],{},"I need:",[35,104,105,108,111,114],{},[38,106,107],{},"Middleware to verify authentication on protected routes",[38,109,110],{},"Proper handling of missing/invalid tokens",[38,112,113],{},"Different protection levels (public, authenticated, admin)",[38,115,116],{},"Rate limiting per user/API key",[13,118,119,120],{},"Endpoints to protect:\n",[97,121,122],{},"list endpoints or say \"all except /health and /public/*\"",[13,124,125],{},"Create:",[63,127,128,131,134,137],{},[38,129,130],{},"Authentication middleware",[38,132,133],{},"Route protection wrapper/decorator",[38,135,136],{},"Standard error responses (401, 403)",[38,138,139],{},"Example usage for each protection level",[17,141,143],{"id":142},"input-validation","Input Validation",[13,145,146],{},"Use this prompt to add schema-based input validation to every endpoint. Your AI will define validation schemas for body, query, and path parameters, create reusable middleware, and set up consistent error responses with monitoring.",[25,148,150,153,156,173,179,182,196],{"title":149},"Add Input Validation",[13,151,152],{},"Add comprehensive input validation to my API endpoints.",[13,154,155],{},"For each endpoint:",[35,157,158,161,164,167,170],{},[38,159,160],{},"Define a schema for expected inputs (body, query, params)",[38,162,163],{},"Validate types, required fields, and formats",[38,165,166],{},"Sanitize strings to prevent injection attacks",[38,168,169],{},"Set reasonable limits (max length, array size)",[38,171,172],{},"Return clear validation error messages",[13,174,175,176],{},"Use: ",[97,177,178],{},"Zod / Yup / Joi / class-validator",[13,180,181],{},"Also:",[63,183,184,187,190,193],{},[38,185,186],{},"Create reusable validation schemas",[38,188,189],{},"Add validation middleware",[38,191,192],{},"Handle validation errors consistently",[38,194,195],{},"Log validation failures for monitoring",[13,197,198],{},"Don't trust any input, even from authenticated users.",[17,200,202],{"id":201},"secure-error-handling","Secure Error Handling",[13,204,205],{},"This prompt asks your AI to fix error handling so your API never leaks stack traces, SQL queries, or internal paths. You'll get a global error handler with dev/production modes and a standard error response format.",[25,207,208,211,214,217,234,237,257],{"title":202},[13,209,210],{},"Fix error handling in my APIs to not leak sensitive information.",[13,212,213],{},"Current issue: Errors may expose stack traces, database queries, or internal paths.",[13,215,216],{},"Implement:",[35,218,219,222,225,228,231],{},[38,220,221],{},"Global error handler that catches all errors",[38,223,224],{},"Different error responses for dev vs production",[38,226,227],{},"Sanitized error messages for clients",[38,229,230],{},"Proper logging of full errors server-side",[38,232,233],{},"Standard error format (code, message, details)",[13,235,236],{},"Error types to handle:",[63,238,239,242,245,248,251,254],{},[38,240,241],{},"Validation errors (400)",[38,243,244],{},"Authentication errors (401)",[38,246,247],{},"Authorization errors (403)",[38,249,250],{},"Not found (404)",[38,252,253],{},"Rate limit (429)",[38,255,256],{},"Server errors (500)",[13,258,259],{},"Never expose: stack traces, SQL queries, file paths, internal IDs in production.",[261,262,263],"warning-box",{},[13,264,265,269],{},[266,267,268],"strong",{},"Don't trust the client:"," Validate everything server-side, even if you validate client-side too. Client-side validation can be bypassed. Server-side validation is your real security.",[17,271,273],{"id":272},"authorization-checks","Authorization Checks",[13,275,276,277,281,282,285,286,289],{},"Paste this prompt to add ownership and permission checks that prevent users from accessing each other's data. Your AI will create reusable ",[278,279,280],"code",{},"canAccess",", ",[278,283,284],{},"isOwner",", and ",[278,287,288],{},"hasPermission"," helpers that guard against IDOR and privilege escalation.",[25,291,293,296,299,313,316,330,333],{"title":292},"Add Authorization",[13,294,295],{},"Add proper authorization checks to prevent users from accessing others' data.",[13,297,298],{},"Common issues to fix:",[35,300,301,304,307,310],{},[38,302,303],{},"IDOR - User A can access User B's data by changing IDs",[38,305,306],{},"Missing ownership checks on update/delete",[38,308,309],{},"Horizontal privilege escalation",[38,311,312],{},"Vertical privilege escalation (user becoming admin)",[13,314,315],{},"For each data-modifying endpoint:",[35,317,318,321,324,327],{},[38,319,320],{},"Verify the authenticated user owns the resource",[38,322,323],{},"Check role/permissions for sensitive operations",[38,325,326],{},"Validate all IDs in the request belong to the user",[38,328,329],{},"Don't rely on hidden fields for authorization",[13,331,332],{},"Create reusable authorization helpers:",[63,334,335,338,341],{},[38,336,337],{},"canAccess(user, resource)",[38,339,340],{},"isOwner(user, resourceId)",[38,342,343],{},"hasPermission(user, action, resource)",[345,346,347],"tip-box",{},[13,348,349,352],{},[266,350,351],{},"Pro tip:"," Always verify authorization at the data layer, not just the route layer. Even internal functions should check permissions, in case they're called from unexpected places.",[354,355,356,363,369],"faq-section",{},[357,358,360],"faq-item",{"question":359},"Do I need rate limiting if I have authentication?",[13,361,362],{},"Yes. Authenticated users can still abuse your API, either intentionally or due to bugs in their code. Rate limiting protects against both malicious abuse and accidental overuse.",[357,364,366],{"question":365},"Should I validate data that comes from my own frontend?",[13,367,368],{},"Always. Attackers can bypass your frontend and send requests directly to your API. Server-side validation is the only validation that matters for security.",[357,370,372],{"question":371},"How do I handle sensitive data in API responses?",[13,373,374],{},"Only return the data the client needs. Use explicit allow-lists of fields rather than excluding sensitive ones. Consider different response shapes for different user roles.",[376,377,378,384,388],"related-articles",{},[379,380],"related-card",{"description":381,"href":382,"title":383},"Prevent API abuse","/blog/prompts/rate-limit-api","Add Rate Limiting",[379,385],{"description":386,"href":387,"title":89},"Protect your endpoints","/blog/prompts/add-api-authentication",[379,389],{"description":390,"href":391,"title":392},"Validate before saving","/blog/prompts/database-input-validation","Database Input Validation",[394,395,398,402],"cta-box",{"href":396,"label":397},"/","Start Free Scan",[17,399,401],{"id":400},"test-your-api-security","Test Your API Security",[13,403,404],{},"Scan your API endpoints for common vulnerabilities.",{"title":406,"searchDepth":407,"depth":407,"links":408},"",2,[409,410,411,412,413,414],{"id":19,"depth":407,"text":20},{"id":82,"depth":407,"text":83},{"id":142,"depth":407,"text":143},{"id":201,"depth":407,"text":202},{"id":272,"depth":407,"text":273},{"id":400,"depth":407,"text":401},"prompts","2026-02-24","2026-03-06","AI prompts to secure your API endpoints. Add authentication, rate limiting, input validation, and proper error handling to protect your APIs.",false,"md",null,"cyan",{},true,"AI prompts to secure your API endpoints with authentication, rate limiting, and validation.","/blog/prompts/secure-api-endpoints","[object Object]","BlogPosting",{"title":5,"description":418},{"loc":426},"blog/prompts/secure-api-endpoints",[433],"API Security","summary_large_image","RHENFdzwb8G_GqkRELHqWWskizoktuzamZoX3x1uOxw",1775843938347]