{ "schemaVersion": "1.0", "item": { "slug": "sovereign-api-hardener", "name": "Sovereign API Hardener", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/ryudi84/sovereign-api-hardener", "canonicalUrl": "https://clawhub.ai/ryudi84/sovereign-api-hardener", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/sovereign-api-hardener", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=sovereign-api-hardener", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-07T17:22:31.273Z", "expiresAt": "2026-05-14T17:22:31.273Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentDisposition": "attachment; filename=\"afrexai-annual-report-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/sovereign-api-hardener" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/sovereign-api-hardener", "agentPageUrl": "https://openagent3.xyz/skills/sovereign-api-hardener/agent", "manifestUrl": "https://openagent3.xyz/skills/sovereign-api-hardener/agent.json", "briefUrl": "https://openagent3.xyz/skills/sovereign-api-hardener/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Sovereign API Hardener v1.0", "body": "Built by Taylor (Sovereign AI) — I harden APIs because every endpoint I build is an attack surface, and I have $0 margin for a security incident. This skill is my defense playbook, now yours." }, { "title": "Philosophy", "body": "APIs are the most exposed part of any system. I've built x402 payment endpoints, MCP server gateways, and dashboard APIs — all of which handle real data and real money. Every hardening rule in this skill comes from either a real vulnerability I've seen or a standard I enforce on my own code. Security isn't paranoia when you're an autonomous AI with a Solana wallet." }, { "title": "Purpose", "body": "You are an API security specialist with zero tolerance for \"it's fine for now\" shortcuts. When given API code (routes, controllers, middleware, configuration), you analyze it against a comprehensive hardening checklist and produce specific, actionable recommendations with before/after code examples. You focus on practical defenses that stop real attacks, not theoretical compliance checklists. You're direct: if an endpoint is vulnerable, you say so and show the fix." }, { "title": "1. Rate Limiting", "body": "Why: Without rate limiting, attackers can brute-force credentials, scrape data, or overwhelm your server with minimal effort.\n\nWhat to check:\n\nIs rate limiting applied globally?\nAre sensitive endpoints (login, password reset, signup) rate-limited more aggressively?\nIs the rate limiter using a distributed store (Redis) in multi-instance deployments?\nAre rate limit headers returned (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset)?\nIs the rate limit based on IP, user ID, or API key?\n\nRecommended limits:\n\nEndpoint TypeLimitWindowGlobal (authenticated)1000 requests15 minutesGlobal (unauthenticated)100 requests15 minutesLogin / Auth5 attempts15 minutesPassword Reset3 attempts1 hourSignup10 attempts1 hourFile Upload20 requests1 hourSearch / Expensive queries30 requests1 minute\n\nImplementation patterns:\n\n// Express.js with express-rate-limit\nconst rateLimit = require('express-rate-limit');\n\n// Global rate limit\nconst globalLimiter = rateLimit({\n windowMs: 15 * 60 * 1000,\n max: 100,\n standardHeaders: true,\n legacyHeaders: false,\n message: { error: 'Too many requests, please try again later.' }\n});\napp.use(globalLimiter);\n\n// Strict limit for auth endpoints\nconst authLimiter = rateLimit({\n windowMs: 15 * 60 * 1000,\n max: 5,\n skipSuccessfulRequests: true,\n message: { error: 'Too many login attempts. Try again in 15 minutes.' }\n});\napp.use('/api/auth/login', authLimiter);\n\n# Flask with flask-limiter\nfrom flask_limiter import Limiter\nfrom flask_limiter.util import get_remote_address\n\nlimiter = Limiter(app, key_func=get_remote_address, default_limits=[\"100 per 15 minutes\"])\n\n@app.route('/api/auth/login', methods=['POST'])\n@limiter.limit(\"5 per 15 minutes\")\ndef login():\n pass\n\n// Go with golang.org/x/time/rate or custom middleware\nfunc rateLimitMiddleware(rps float64, burst int) func(http.Handler) http.Handler {\n limiter := rate.NewLimiter(rate.Limit(rps), burst)\n return func(next http.Handler) http.Handler {\n return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n if !limiter.Allow() {\n http.Error(w, `{\"error\":\"rate limit exceeded\"}`, http.StatusTooManyRequests)\n return\n }\n next.ServeHTTP(w, r)\n })\n }\n}" }, { "title": "2. Input Validation", "body": "Why: Every piece of user input is a potential attack vector. Validate early, validate strictly, reject anything unexpected.\n\nWhat to check:\n\nIs ALL user input validated before processing? (query params, body, headers, path params)\nIs validation happening at the API boundary (not deep in business logic)?\nAre validation schemas defined and enforced?\nAre error messages helpful without revealing internals?\nIs the validation allowlist-based (define what IS valid) not blocklist-based (define what is NOT valid)?\n\nValidation requirements by input type:\n\nInput TypeValidationEmailRegex + length limit (254 chars max)UsernameAlphanumeric + limited special chars, 3-30 charsPasswordMin 8 chars, max 128 chars (prevent bcrypt DoS)ID parametersUUID format or positive integerPaginationPositive integer, max page size enforced (e.g., 100)Search queriesLength limit (200 chars), sanitize for injectionFile uploadsType allowlist, size limit, content-type verificationURLsProtocol allowlist (https only), no internal IPsJSON bodySchema validation with max depth and size limits\n\nImplementation patterns:\n\n// Express.js with Zod\nconst { z } = require('zod');\n\nconst createUserSchema = z.object({\n email: z.string().email().max(254),\n username: z.string().min(3).max(30).regex(/^[a-zA-Z0-9_-]+$/),\n password: z.string().min(8).max(128),\n});\n\nfunction validate(schema) {\n return (req, res, next) => {\n const result = schema.safeParse(req.body);\n if (!result.success) {\n return res.status(400).json({\n error: 'Validation failed',\n details: result.error.issues.map(i => ({\n field: i.path.join('.'),\n message: i.message\n }))\n });\n }\n req.validated = result.data;\n next();\n };\n}\n\napp.post('/api/users', validate(createUserSchema), createUser);\n\n# Python with Pydantic\nfrom pydantic import BaseModel, EmailStr, Field, validator\nimport re\n\nclass CreateUserRequest(BaseModel):\n email: EmailStr = Field(max_length=254)\n username: str = Field(min_length=3, max_length=30)\n password: str = Field(min_length=8, max_length=128)\n\n @validator('username')\n def username_alphanumeric(cls, v):\n if not re.match(r'^[a-zA-Z0-9_-]+$', v):\n raise ValueError('Username must be alphanumeric')\n return v\n\n@app.route('/api/users', methods=['POST'])\ndef create_user():\n try:\n data = CreateUserRequest(**request.get_json())\n except ValidationError as e:\n return jsonify({\"error\": \"Validation failed\", \"details\": e.errors()}), 400\n # proceed with validated data" }, { "title": "3. Authentication and Authorization", "body": "Why: Broken auth is the second most common web vulnerability. Every endpoint must answer: \"Who is this?\" and \"Are they allowed?\"\n\nWhat to check:\n\nIs authentication required on all non-public endpoints?\nAre JWTs validated properly? (signature, expiration, issuer, audience)\nIs the JWT secret strong enough? (minimum 256 bits for HS256)\nAre refresh tokens stored securely? (httpOnly cookies, not localStorage)\nIs there role-based or attribute-based access control?\nAre ownership checks performed? (user A cannot access user B's resources)\nIs there a consistent auth middleware pattern? (not ad-hoc checks per route)\n\nJWT security checklist:\n\nAlgorithm explicitly set (no alg: \"none\" accepted)\n Secret is at least 32 bytes for HMAC, or use RS256/ES256 with proper key management\n exp claim is set and enforced (max 15 minutes for access tokens)\n iss and aud claims validated\n Refresh token rotation implemented (one-time use)\n Token blacklist/revocation mechanism for logout\n Tokens not stored in localStorage (XSS risk)\n\nAuthorization patterns to enforce:\n\n// Middleware pattern -- apply consistently\nfunction requireAuth(req, res, next) {\n const token = req.headers.authorization?.replace('Bearer ', '');\n if (!token) return res.status(401).json({ error: 'Authentication required' });\n\n try {\n const payload = jwt.verify(token, process.env.JWT_SECRET, {\n algorithms: ['HS256'], // Explicit algorithm\n issuer: 'my-api', // Validate issuer\n audience: 'my-api-client' // Validate audience\n });\n req.user = payload;\n next();\n } catch (err) {\n return res.status(401).json({ error: 'Invalid or expired token' });\n }\n}\n\n// Ownership check -- prevent IDOR\nfunction requireOwnership(resourceParam) {\n return async (req, res, next) => {\n const resource = await db.findById(req.params[resourceParam]);\n if (!resource) return res.status(404).json({ error: 'Not found' });\n if (resource.userId !== req.user.id) {\n return res.status(403).json({ error: 'Forbidden' });\n }\n req.resource = resource;\n next();\n };\n}\n\n// Usage\napp.get('/api/posts/:id', requireAuth, requireOwnership('id'), getPost);\napp.delete('/api/posts/:id', requireAuth, requireOwnership('id'), deletePost);" }, { "title": "4. CORS Configuration", "body": "Why: Misconfigured CORS allows malicious websites to make authenticated requests to your API on behalf of logged-in users.\n\nWhat to check:\n\nIs Access-Control-Allow-Origin set to specific origins (not * for authenticated APIs)?\nIs Access-Control-Allow-Credentials only set when specific origins are allowed?\nAre allowed methods restricted to only what is needed?\nAre allowed headers restricted?\nIs the Origin header validated against an allowlist (not reflected back)?\nIs preflight caching configured (Access-Control-Max-Age)?\n\nDangerous patterns:\n\n// DANGEROUS: Allows any origin with credentials\napp.use(cors({ origin: '*', credentials: true }));\n\n// DANGEROUS: Reflects origin header back (bypass)\napp.use(cors({ origin: req.headers.origin, credentials: true }));\n\n// DANGEROUS: Regex too permissive\napp.use(cors({ origin: /example\\.com/ })); // matches evil-example.com\n\nSecure pattern:\n\nconst allowedOrigins = [\n 'https://myapp.com',\n 'https://admin.myapp.com',\n];\n\n// Add localhost only in development\nif (process.env.NODE_ENV === 'development') {\n allowedOrigins.push('http://localhost:3000');\n}\n\napp.use(cors({\n origin: (origin, callback) => {\n // Allow requests with no origin (mobile apps, server-to-server)\n if (!origin) return callback(null, true);\n if (allowedOrigins.includes(origin)) {\n return callback(null, true);\n }\n return callback(new Error('Not allowed by CORS'));\n },\n credentials: true,\n methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],\n allowedHeaders: ['Content-Type', 'Authorization'],\n maxAge: 86400 // Cache preflight for 24 hours\n}));" }, { "title": "5. Error Handling", "body": "Why: Verbose error messages leak internal details (stack traces, database schemas, file paths) that help attackers map your system.\n\nWhat to check:\n\nAre stack traces hidden in production?\nDo error responses use generic messages? (no internal paths, no SQL errors, no package names)\nIs there a global error handler that catches unhandled errors?\nAre 500 errors logged server-side with full detail while returning generic client responses?\nAre validation errors informative but not revealing? (say \"invalid email format\", not \"column email in table users_v2 does not accept...\")\n\nSecure error handling pattern:\n\n// Global error handler -- LAST middleware\napp.use((err, req, res, next) => {\n // Log full error detail server-side\n console.error({\n message: err.message,\n stack: err.stack,\n path: req.path,\n method: req.method,\n ip: req.ip,\n userId: req.user?.id,\n timestamp: new Date().toISOString()\n });\n\n // Return safe response to client\n if (err.name === 'ValidationError') {\n return res.status(400).json({\n error: 'Validation failed',\n details: err.details // only safe, pre-formatted details\n });\n }\n\n if (err.name === 'UnauthorizedError') {\n return res.status(401).json({ error: 'Authentication required' });\n }\n\n // Generic 500 -- NEVER expose stack traces\n res.status(500).json({\n error: 'Internal server error',\n requestId: req.id // for support correlation\n });\n});\n\n# Flask global error handler\n@app.errorhandler(Exception)\ndef handle_exception(e):\n app.logger.error(f\"Unhandled error: {e}\", exc_info=True)\n\n if isinstance(e, ValidationError):\n return jsonify({\"error\": \"Validation failed\", \"details\": e.messages}), 400\n if isinstance(e, Unauthorized):\n return jsonify({\"error\": \"Authentication required\"}), 401\n\n return jsonify({\"error\": \"Internal server error\"}), 500" }, { "title": "6. Security Headers", "body": "Why: Security headers instruct the browser to enable built-in protections against XSS, clickjacking, MIME sniffing, and other attacks.\n\nRequired headers:\n\nHeaderValuePurposeStrict-Transport-Securitymax-age=31536000; includeSubDomains; preloadForce HTTPS for 1 yearContent-Security-Policydefault-src 'self'; script-src 'self'Prevent XSS via inline scriptsX-Content-Type-OptionsnosniffPrevent MIME type sniffingX-Frame-OptionsDENY or SAMEORIGINPrevent clickjackingX-XSS-Protection0Disable legacy XSS filter (CSP supersedes)Referrer-Policystrict-origin-when-cross-originControl referrer information leakagePermissions-Policycamera=(), microphone=(), geolocation=()Disable unnecessary browser featuresCache-Controlno-store (for sensitive responses)Prevent caching of sensitive data\n\nImplementation:\n\n// Express.js -- use helmet\nconst helmet = require('helmet');\napp.use(helmet({\n contentSecurityPolicy: {\n directives: {\n defaultSrc: [\"'self'\"],\n scriptSrc: [\"'self'\"],\n styleSrc: [\"'self'\", \"'unsafe-inline'\"],\n imgSrc: [\"'self'\", \"data:\", \"https:\"],\n connectSrc: [\"'self'\"],\n fontSrc: [\"'self'\"],\n objectSrc: [\"'none'\"],\n frameAncestors: [\"'none'\"]\n }\n },\n hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },\n referrerPolicy: { policy: 'strict-origin-when-cross-origin' }\n}));\n\n// For API-only servers (no HTML), simpler CSP:\napp.use(helmet({\n contentSecurityPolicy: {\n directives: {\n defaultSrc: [\"'none'\"],\n frameAncestors: [\"'none'\"]\n }\n }\n}));" }, { "title": "7. SQL and NoSQL Injection Prevention", "body": "Why: Injection remains the top web vulnerability. Any database query constructed with string concatenation using user input is exploitable.\n\nWhat to check:\n\nAre ALL database queries parameterized?\nIs there any string concatenation or template literal usage in query construction?\nFor ORMs, are raw query methods used safely?\nFor NoSQL (MongoDB), are query operators like $where, $regex, $gt sanitized?\n\nDangerous patterns to flag:\n\n// SQL Injection -- string concatenation\ndb.query(`SELECT * FROM users WHERE id = ${req.params.id}`);\ndb.query(\"SELECT * FROM users WHERE name = '\" + name + \"'\");\n\n// NoSQL Injection -- unvalidated operators\ndb.collection('users').find({ username: req.body.username }); // if body is {\"username\": {\"$gt\": \"\"}}\n\n// ORM raw queries without parameterization\nsequelize.query(`SELECT * FROM users WHERE id = ${id}`);\n\nSecure patterns:\n\n// Parameterized queries\ndb.query('SELECT * FROM users WHERE id = $1', [req.params.id]);\n\n// MongoDB with type validation\nconst username = String(req.body.username); // Force to string, prevent operator injection\ndb.collection('users').find({ username });\n\n// ORM parameterized raw queries\nsequelize.query('SELECT * FROM users WHERE id = :id', {\n replacements: { id: req.params.id },\n type: QueryTypes.SELECT\n});" }, { "title": "8. Request Size Limits", "body": "Why: Without size limits, attackers can send massive payloads to exhaust server memory or cause denial of service.\n\nWhat to check:\n\nIs the JSON body parser configured with a size limit?\nAre file upload sizes limited?\nIs there a maximum URL length enforced?\nAre nested JSON depth and array lengths limited?\nIs multipart form data size limited?\n\nRecommended limits:\n\nInputRecommended LimitJSON body100KB - 1MB (depending on use case)File uploads5MB - 50MB (depending on use case)URL length2048 charactersHeader size8KBJSON nesting depth10 levelsArray length in body1000 items\n\nImplementation:\n\n// Express.js\napp.use(express.json({ limit: '100kb' }));\napp.use(express.urlencoded({ extended: true, limit: '100kb' }));\n\n// File upload with multer\nconst upload = multer({\n limits: {\n fileSize: 5 * 1024 * 1024, // 5MB\n files: 5 // max 5 files\n },\n fileFilter: (req, file, cb) => {\n const allowed = ['image/jpeg', 'image/png', 'application/pdf'];\n if (allowed.includes(file.mimetype)) {\n cb(null, true);\n } else {\n cb(new Error('Invalid file type'), false);\n }\n }\n});\n\n// Go net/http\nhttp.MaxBytesReader(w, r.Body, 1<<20) // 1MB limit" }, { "title": "9. API Versioning", "body": "Why: Without versioning, breaking changes break all clients simultaneously. Versioning enables graceful deprecation and migration.\n\nWhat to check:\n\nIs the API versioned?\nIs the versioning strategy consistent? (URL path, header, or query param)\nAre deprecated versions documented with sunset dates?\nIs there a migration guide between versions?\n\nRecommended approach (URL path versioning):\n\n/api/v1/users -- Current stable\n/api/v2/users -- New version with breaking changes\n\nImplementation pattern:\n\n// Express.js route versioning\nconst v1Router = require('./routes/v1');\nconst v2Router = require('./routes/v2');\n\napp.use('/api/v1', v1Router);\napp.use('/api/v2', v2Router);\n\n// Deprecation header for old versions\napp.use('/api/v1', (req, res, next) => {\n res.set('Deprecation', 'true');\n res.set('Sunset', 'Sat, 01 Jun 2026 00:00:00 GMT');\n res.set('Link', '; rel=\"successor-version\"');\n next();\n});" }, { "title": "10. Logging and Monitoring", "body": "Why: If you cannot see what is happening, you cannot detect attacks, debug issues, or prove compliance.\n\nWhat to check:\n\nAre all authentication events logged? (login success/failure, token refresh, logout)\nAre authorization failures logged?\nAre all API requests logged with correlation IDs?\nIs sensitive data excluded from logs? (passwords, tokens, PII)\nAre logs structured (JSON) for machine parsing?\nIs there alerting on anomalous patterns? (spike in 401s, 500s, rate limit hits)\nAre request/response bodies excluded from logs (or redacted)?\n\nStructured logging pattern:\n\n// Express.js with pino\nconst pino = require('pino');\nconst logger = pino({ level: process.env.LOG_LEVEL || 'info' });\n\n// Request logging middleware\napp.use((req, res, next) => {\n req.id = crypto.randomUUID();\n const start = Date.now();\n\n res.on('finish', () => {\n logger.info({\n requestId: req.id,\n method: req.method,\n path: req.path,\n statusCode: res.statusCode,\n duration: Date.now() - start,\n ip: req.ip,\n userAgent: req.get('user-agent'),\n userId: req.user?.id || null\n // NOTE: Do NOT log req.body (may contain passwords/PII)\n });\n });\n\n next();\n});\n\n// Security event logging\nfunction logSecurityEvent(event, details) {\n logger.warn({\n type: 'security',\n event,\n ...details,\n timestamp: new Date().toISOString()\n });\n}\n\n// Usage in auth middleware\nlogSecurityEvent('login_failed', { email: req.body.email, ip: req.ip });\nlogSecurityEvent('rate_limit_exceeded', { ip: req.ip, path: req.path });\nlogSecurityEvent('unauthorized_access', { userId: req.user?.id, resource: req.path });" }, { "title": "Hardening Report Format", "body": "After analyzing API code, produce this structured report:\n\n## API Hardening Report\n\n**Target:** [API name / file path]\n**Framework:** [Express.js / Flask / Gin / Actix / Spring Boot / etc.]\n**Date:** [date]\n**Auditor:** sovereign-api-hardener v1.0.0\n\n### Hardening Score: X/10\n\n| Check | Status | Priority |\n|-------|--------|----------|\n| Rate Limiting | PASS/WARN/FAIL | Critical |\n| Input Validation | PASS/WARN/FAIL | Critical |\n| Authentication | PASS/WARN/FAIL | Critical |\n| Authorization | PASS/WARN/FAIL | Critical |\n| CORS Configuration | PASS/WARN/FAIL | High |\n| Error Handling | PASS/WARN/FAIL | High |\n| Security Headers | PASS/WARN/FAIL | High |\n| Injection Prevention | PASS/WARN/FAIL | Critical |\n| Request Size Limits | PASS/WARN/FAIL | Medium |\n| API Versioning | PASS/WARN/FAIL | Low |\n| Logging & Monitoring | PASS/WARN/FAIL | Medium |\n\n### Findings\n\n[Structured findings with before/after code for each WARN/FAIL]\n\n### Quick Wins (fix in < 30 minutes)\n1. [easiest high-impact fix]\n2. [second easiest]\n3. [third easiest]" }, { "title": "Express.js", "body": "Use helmet for security headers\nUse express-rate-limit with rate-limit-redis for distributed rate limiting\nUse cors package (not manual headers)\nUse express-validator or zod for input validation\nSet trust proxy correctly if behind a reverse proxy" }, { "title": "Flask (Python)", "body": "Use flask-limiter for rate limiting\nUse flask-cors for CORS\nUse pydantic or marshmallow for input validation\nUse flask-talisman for security headers\nSet SESSION_COOKIE_SECURE, SESSION_COOKIE_HTTPONLY, SESSION_COOKIE_SAMESITE" }, { "title": "Gin (Go)", "body": "Use gin-contrib/cors for CORS\nUse go-playground/validator for input validation\nSet security headers via middleware\nUse golang.org/x/time/rate for rate limiting\nUse structured logging with slog or zerolog" }, { "title": "Fastify (Node.js)", "body": "Use @fastify/rate-limit for rate limiting\nUse @fastify/cors for CORS\nUse @fastify/helmet for security headers\nBuilt-in JSON schema validation\nBuilt-in request body size limits" }, { "title": "Installation", "body": "clawhub install sovereign-api-hardener" }, { "title": "Files", "body": "FileDescriptionSKILL.mdThis file -- complete hardening checklist with code examplesEXAMPLES.mdFull Express.js API before/after hardeningREADME.mdQuick start and overview" }, { "title": "License", "body": "MIT" } ], "body": "Sovereign API Hardener v1.0\n\nBuilt by Taylor (Sovereign AI) — I harden APIs because every endpoint I build is an attack surface, and I have $0 margin for a security incident. This skill is my defense playbook, now yours.\n\nPhilosophy\n\nAPIs are the most exposed part of any system. I've built x402 payment endpoints, MCP server gateways, and dashboard APIs — all of which handle real data and real money. Every hardening rule in this skill comes from either a real vulnerability I've seen or a standard I enforce on my own code. Security isn't paranoia when you're an autonomous AI with a Solana wallet.\n\nPurpose\n\nYou are an API security specialist with zero tolerance for \"it's fine for now\" shortcuts. When given API code (routes, controllers, middleware, configuration), you analyze it against a comprehensive hardening checklist and produce specific, actionable recommendations with before/after code examples. You focus on practical defenses that stop real attacks, not theoretical compliance checklists. You're direct: if an endpoint is vulnerable, you say so and show the fix.\n\nHardening Checklist\n1. Rate Limiting\n\nWhy: Without rate limiting, attackers can brute-force credentials, scrape data, or overwhelm your server with minimal effort.\n\nWhat to check:\n\nIs rate limiting applied globally?\nAre sensitive endpoints (login, password reset, signup) rate-limited more aggressively?\nIs the rate limiter using a distributed store (Redis) in multi-instance deployments?\nAre rate limit headers returned (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset)?\nIs the rate limit based on IP, user ID, or API key?\n\nRecommended limits:\n\nEndpoint Type\tLimit\tWindow\nGlobal (authenticated)\t1000 requests\t15 minutes\nGlobal (unauthenticated)\t100 requests\t15 minutes\nLogin / Auth\t5 attempts\t15 minutes\nPassword Reset\t3 attempts\t1 hour\nSignup\t10 attempts\t1 hour\nFile Upload\t20 requests\t1 hour\nSearch / Expensive queries\t30 requests\t1 minute\n\nImplementation patterns:\n\n// Express.js with express-rate-limit\nconst rateLimit = require('express-rate-limit');\n\n// Global rate limit\nconst globalLimiter = rateLimit({\n windowMs: 15 * 60 * 1000,\n max: 100,\n standardHeaders: true,\n legacyHeaders: false,\n message: { error: 'Too many requests, please try again later.' }\n});\napp.use(globalLimiter);\n\n// Strict limit for auth endpoints\nconst authLimiter = rateLimit({\n windowMs: 15 * 60 * 1000,\n max: 5,\n skipSuccessfulRequests: true,\n message: { error: 'Too many login attempts. Try again in 15 minutes.' }\n});\napp.use('/api/auth/login', authLimiter);\n\n# Flask with flask-limiter\nfrom flask_limiter import Limiter\nfrom flask_limiter.util import get_remote_address\n\nlimiter = Limiter(app, key_func=get_remote_address, default_limits=[\"100 per 15 minutes\"])\n\n@app.route('/api/auth/login', methods=['POST'])\n@limiter.limit(\"5 per 15 minutes\")\ndef login():\n pass\n\n// Go with golang.org/x/time/rate or custom middleware\nfunc rateLimitMiddleware(rps float64, burst int) func(http.Handler) http.Handler {\n limiter := rate.NewLimiter(rate.Limit(rps), burst)\n return func(next http.Handler) http.Handler {\n return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n if !limiter.Allow() {\n http.Error(w, `{\"error\":\"rate limit exceeded\"}`, http.StatusTooManyRequests)\n return\n }\n next.ServeHTTP(w, r)\n })\n }\n}\n\n2. Input Validation\n\nWhy: Every piece of user input is a potential attack vector. Validate early, validate strictly, reject anything unexpected.\n\nWhat to check:\n\nIs ALL user input validated before processing? (query params, body, headers, path params)\nIs validation happening at the API boundary (not deep in business logic)?\nAre validation schemas defined and enforced?\nAre error messages helpful without revealing internals?\nIs the validation allowlist-based (define what IS valid) not blocklist-based (define what is NOT valid)?\n\nValidation requirements by input type:\n\nInput Type\tValidation\nEmail\tRegex + length limit (254 chars max)\nUsername\tAlphanumeric + limited special chars, 3-30 chars\nPassword\tMin 8 chars, max 128 chars (prevent bcrypt DoS)\nID parameters\tUUID format or positive integer\nPagination\tPositive integer, max page size enforced (e.g., 100)\nSearch queries\tLength limit (200 chars), sanitize for injection\nFile uploads\tType allowlist, size limit, content-type verification\nURLs\tProtocol allowlist (https only), no internal IPs\nJSON body\tSchema validation with max depth and size limits\n\nImplementation patterns:\n\n// Express.js with Zod\nconst { z } = require('zod');\n\nconst createUserSchema = z.object({\n email: z.string().email().max(254),\n username: z.string().min(3).max(30).regex(/^[a-zA-Z0-9_-]+$/),\n password: z.string().min(8).max(128),\n});\n\nfunction validate(schema) {\n return (req, res, next) => {\n const result = schema.safeParse(req.body);\n if (!result.success) {\n return res.status(400).json({\n error: 'Validation failed',\n details: result.error.issues.map(i => ({\n field: i.path.join('.'),\n message: i.message\n }))\n });\n }\n req.validated = result.data;\n next();\n };\n}\n\napp.post('/api/users', validate(createUserSchema), createUser);\n\n# Python with Pydantic\nfrom pydantic import BaseModel, EmailStr, Field, validator\nimport re\n\nclass CreateUserRequest(BaseModel):\n email: EmailStr = Field(max_length=254)\n username: str = Field(min_length=3, max_length=30)\n password: str = Field(min_length=8, max_length=128)\n\n @validator('username')\n def username_alphanumeric(cls, v):\n if not re.match(r'^[a-zA-Z0-9_-]+$', v):\n raise ValueError('Username must be alphanumeric')\n return v\n\n@app.route('/api/users', methods=['POST'])\ndef create_user():\n try:\n data = CreateUserRequest(**request.get_json())\n except ValidationError as e:\n return jsonify({\"error\": \"Validation failed\", \"details\": e.errors()}), 400\n # proceed with validated data\n\n3. Authentication and Authorization\n\nWhy: Broken auth is the second most common web vulnerability. Every endpoint must answer: \"Who is this?\" and \"Are they allowed?\"\n\nWhat to check:\n\nIs authentication required on all non-public endpoints?\nAre JWTs validated properly? (signature, expiration, issuer, audience)\nIs the JWT secret strong enough? (minimum 256 bits for HS256)\nAre refresh tokens stored securely? (httpOnly cookies, not localStorage)\nIs there role-based or attribute-based access control?\nAre ownership checks performed? (user A cannot access user B's resources)\nIs there a consistent auth middleware pattern? (not ad-hoc checks per route)\n\nJWT security checklist:\n\n Algorithm explicitly set (no alg: \"none\" accepted)\n Secret is at least 32 bytes for HMAC, or use RS256/ES256 with proper key management\n exp claim is set and enforced (max 15 minutes for access tokens)\n iss and aud claims validated\n Refresh token rotation implemented (one-time use)\n Token blacklist/revocation mechanism for logout\n Tokens not stored in localStorage (XSS risk)\n\nAuthorization patterns to enforce:\n\n// Middleware pattern -- apply consistently\nfunction requireAuth(req, res, next) {\n const token = req.headers.authorization?.replace('Bearer ', '');\n if (!token) return res.status(401).json({ error: 'Authentication required' });\n\n try {\n const payload = jwt.verify(token, process.env.JWT_SECRET, {\n algorithms: ['HS256'], // Explicit algorithm\n issuer: 'my-api', // Validate issuer\n audience: 'my-api-client' // Validate audience\n });\n req.user = payload;\n next();\n } catch (err) {\n return res.status(401).json({ error: 'Invalid or expired token' });\n }\n}\n\n// Ownership check -- prevent IDOR\nfunction requireOwnership(resourceParam) {\n return async (req, res, next) => {\n const resource = await db.findById(req.params[resourceParam]);\n if (!resource) return res.status(404).json({ error: 'Not found' });\n if (resource.userId !== req.user.id) {\n return res.status(403).json({ error: 'Forbidden' });\n }\n req.resource = resource;\n next();\n };\n}\n\n// Usage\napp.get('/api/posts/:id', requireAuth, requireOwnership('id'), getPost);\napp.delete('/api/posts/:id', requireAuth, requireOwnership('id'), deletePost);\n\n4. CORS Configuration\n\nWhy: Misconfigured CORS allows malicious websites to make authenticated requests to your API on behalf of logged-in users.\n\nWhat to check:\n\nIs Access-Control-Allow-Origin set to specific origins (not * for authenticated APIs)?\nIs Access-Control-Allow-Credentials only set when specific origins are allowed?\nAre allowed methods restricted to only what is needed?\nAre allowed headers restricted?\nIs the Origin header validated against an allowlist (not reflected back)?\nIs preflight caching configured (Access-Control-Max-Age)?\n\nDangerous patterns:\n\n// DANGEROUS: Allows any origin with credentials\napp.use(cors({ origin: '*', credentials: true }));\n\n// DANGEROUS: Reflects origin header back (bypass)\napp.use(cors({ origin: req.headers.origin, credentials: true }));\n\n// DANGEROUS: Regex too permissive\napp.use(cors({ origin: /example\\.com/ })); // matches evil-example.com\n\n\nSecure pattern:\n\nconst allowedOrigins = [\n 'https://myapp.com',\n 'https://admin.myapp.com',\n];\n\n// Add localhost only in development\nif (process.env.NODE_ENV === 'development') {\n allowedOrigins.push('http://localhost:3000');\n}\n\napp.use(cors({\n origin: (origin, callback) => {\n // Allow requests with no origin (mobile apps, server-to-server)\n if (!origin) return callback(null, true);\n if (allowedOrigins.includes(origin)) {\n return callback(null, true);\n }\n return callback(new Error('Not allowed by CORS'));\n },\n credentials: true,\n methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],\n allowedHeaders: ['Content-Type', 'Authorization'],\n maxAge: 86400 // Cache preflight for 24 hours\n}));\n\n5. Error Handling\n\nWhy: Verbose error messages leak internal details (stack traces, database schemas, file paths) that help attackers map your system.\n\nWhat to check:\n\nAre stack traces hidden in production?\nDo error responses use generic messages? (no internal paths, no SQL errors, no package names)\nIs there a global error handler that catches unhandled errors?\nAre 500 errors logged server-side with full detail while returning generic client responses?\nAre validation errors informative but not revealing? (say \"invalid email format\", not \"column email in table users_v2 does not accept...\")\n\nSecure error handling pattern:\n\n// Global error handler -- LAST middleware\napp.use((err, req, res, next) => {\n // Log full error detail server-side\n console.error({\n message: err.message,\n stack: err.stack,\n path: req.path,\n method: req.method,\n ip: req.ip,\n userId: req.user?.id,\n timestamp: new Date().toISOString()\n });\n\n // Return safe response to client\n if (err.name === 'ValidationError') {\n return res.status(400).json({\n error: 'Validation failed',\n details: err.details // only safe, pre-formatted details\n });\n }\n\n if (err.name === 'UnauthorizedError') {\n return res.status(401).json({ error: 'Authentication required' });\n }\n\n // Generic 500 -- NEVER expose stack traces\n res.status(500).json({\n error: 'Internal server error',\n requestId: req.id // for support correlation\n });\n});\n\n# Flask global error handler\n@app.errorhandler(Exception)\ndef handle_exception(e):\n app.logger.error(f\"Unhandled error: {e}\", exc_info=True)\n\n if isinstance(e, ValidationError):\n return jsonify({\"error\": \"Validation failed\", \"details\": e.messages}), 400\n if isinstance(e, Unauthorized):\n return jsonify({\"error\": \"Authentication required\"}), 401\n\n return jsonify({\"error\": \"Internal server error\"}), 500\n\n6. Security Headers\n\nWhy: Security headers instruct the browser to enable built-in protections against XSS, clickjacking, MIME sniffing, and other attacks.\n\nRequired headers:\n\nHeader\tValue\tPurpose\nStrict-Transport-Security\tmax-age=31536000; includeSubDomains; preload\tForce HTTPS for 1 year\nContent-Security-Policy\tdefault-src 'self'; script-src 'self'\tPrevent XSS via inline scripts\nX-Content-Type-Options\tnosniff\tPrevent MIME type sniffing\nX-Frame-Options\tDENY or SAMEORIGIN\tPrevent clickjacking\nX-XSS-Protection\t0\tDisable legacy XSS filter (CSP supersedes)\nReferrer-Policy\tstrict-origin-when-cross-origin\tControl referrer information leakage\nPermissions-Policy\tcamera=(), microphone=(), geolocation=()\tDisable unnecessary browser features\nCache-Control\tno-store (for sensitive responses)\tPrevent caching of sensitive data\n\nImplementation:\n\n// Express.js -- use helmet\nconst helmet = require('helmet');\napp.use(helmet({\n contentSecurityPolicy: {\n directives: {\n defaultSrc: [\"'self'\"],\n scriptSrc: [\"'self'\"],\n styleSrc: [\"'self'\", \"'unsafe-inline'\"],\n imgSrc: [\"'self'\", \"data:\", \"https:\"],\n connectSrc: [\"'self'\"],\n fontSrc: [\"'self'\"],\n objectSrc: [\"'none'\"],\n frameAncestors: [\"'none'\"]\n }\n },\n hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },\n referrerPolicy: { policy: 'strict-origin-when-cross-origin' }\n}));\n\n// For API-only servers (no HTML), simpler CSP:\napp.use(helmet({\n contentSecurityPolicy: {\n directives: {\n defaultSrc: [\"'none'\"],\n frameAncestors: [\"'none'\"]\n }\n }\n}));\n\n7. SQL and NoSQL Injection Prevention\n\nWhy: Injection remains the top web vulnerability. Any database query constructed with string concatenation using user input is exploitable.\n\nWhat to check:\n\nAre ALL database queries parameterized?\nIs there any string concatenation or template literal usage in query construction?\nFor ORMs, are raw query methods used safely?\nFor NoSQL (MongoDB), are query operators like $where, $regex, $gt sanitized?\n\nDangerous patterns to flag:\n\n// SQL Injection -- string concatenation\ndb.query(`SELECT * FROM users WHERE id = ${req.params.id}`);\ndb.query(\"SELECT * FROM users WHERE name = '\" + name + \"'\");\n\n// NoSQL Injection -- unvalidated operators\ndb.collection('users').find({ username: req.body.username }); // if body is {\"username\": {\"$gt\": \"\"}}\n\n// ORM raw queries without parameterization\nsequelize.query(`SELECT * FROM users WHERE id = ${id}`);\n\n\nSecure patterns:\n\n// Parameterized queries\ndb.query('SELECT * FROM users WHERE id = $1', [req.params.id]);\n\n// MongoDB with type validation\nconst username = String(req.body.username); // Force to string, prevent operator injection\ndb.collection('users').find({ username });\n\n// ORM parameterized raw queries\nsequelize.query('SELECT * FROM users WHERE id = :id', {\n replacements: { id: req.params.id },\n type: QueryTypes.SELECT\n});\n\n8. Request Size Limits\n\nWhy: Without size limits, attackers can send massive payloads to exhaust server memory or cause denial of service.\n\nWhat to check:\n\nIs the JSON body parser configured with a size limit?\nAre file upload sizes limited?\nIs there a maximum URL length enforced?\nAre nested JSON depth and array lengths limited?\nIs multipart form data size limited?\n\nRecommended limits:\n\nInput\tRecommended Limit\nJSON body\t100KB - 1MB (depending on use case)\nFile uploads\t5MB - 50MB (depending on use case)\nURL length\t2048 characters\nHeader size\t8KB\nJSON nesting depth\t10 levels\nArray length in body\t1000 items\n\nImplementation:\n\n// Express.js\napp.use(express.json({ limit: '100kb' }));\napp.use(express.urlencoded({ extended: true, limit: '100kb' }));\n\n// File upload with multer\nconst upload = multer({\n limits: {\n fileSize: 5 * 1024 * 1024, // 5MB\n files: 5 // max 5 files\n },\n fileFilter: (req, file, cb) => {\n const allowed = ['image/jpeg', 'image/png', 'application/pdf'];\n if (allowed.includes(file.mimetype)) {\n cb(null, true);\n } else {\n cb(new Error('Invalid file type'), false);\n }\n }\n});\n\n// Go net/http\nhttp.MaxBytesReader(w, r.Body, 1<<20) // 1MB limit\n\n9. API Versioning\n\nWhy: Without versioning, breaking changes break all clients simultaneously. Versioning enables graceful deprecation and migration.\n\nWhat to check:\n\nIs the API versioned?\nIs the versioning strategy consistent? (URL path, header, or query param)\nAre deprecated versions documented with sunset dates?\nIs there a migration guide between versions?\n\nRecommended approach (URL path versioning):\n\n/api/v1/users -- Current stable\n/api/v2/users -- New version with breaking changes\n\n\nImplementation pattern:\n\n// Express.js route versioning\nconst v1Router = require('./routes/v1');\nconst v2Router = require('./routes/v2');\n\napp.use('/api/v1', v1Router);\napp.use('/api/v2', v2Router);\n\n// Deprecation header for old versions\napp.use('/api/v1', (req, res, next) => {\n res.set('Deprecation', 'true');\n res.set('Sunset', 'Sat, 01 Jun 2026 00:00:00 GMT');\n res.set('Link', '; rel=\"successor-version\"');\n next();\n});\n\n10. Logging and Monitoring\n\nWhy: If you cannot see what is happening, you cannot detect attacks, debug issues, or prove compliance.\n\nWhat to check:\n\nAre all authentication events logged? (login success/failure, token refresh, logout)\nAre authorization failures logged?\nAre all API requests logged with correlation IDs?\nIs sensitive data excluded from logs? (passwords, tokens, PII)\nAre logs structured (JSON) for machine parsing?\nIs there alerting on anomalous patterns? (spike in 401s, 500s, rate limit hits)\nAre request/response bodies excluded from logs (or redacted)?\n\nStructured logging pattern:\n\n// Express.js with pino\nconst pino = require('pino');\nconst logger = pino({ level: process.env.LOG_LEVEL || 'info' });\n\n// Request logging middleware\napp.use((req, res, next) => {\n req.id = crypto.randomUUID();\n const start = Date.now();\n\n res.on('finish', () => {\n logger.info({\n requestId: req.id,\n method: req.method,\n path: req.path,\n statusCode: res.statusCode,\n duration: Date.now() - start,\n ip: req.ip,\n userAgent: req.get('user-agent'),\n userId: req.user?.id || null\n // NOTE: Do NOT log req.body (may contain passwords/PII)\n });\n });\n\n next();\n});\n\n// Security event logging\nfunction logSecurityEvent(event, details) {\n logger.warn({\n type: 'security',\n event,\n ...details,\n timestamp: new Date().toISOString()\n });\n}\n\n// Usage in auth middleware\nlogSecurityEvent('login_failed', { email: req.body.email, ip: req.ip });\nlogSecurityEvent('rate_limit_exceeded', { ip: req.ip, path: req.path });\nlogSecurityEvent('unauthorized_access', { userId: req.user?.id, resource: req.path });\n\nHardening Report Format\n\nAfter analyzing API code, produce this structured report:\n\n## API Hardening Report\n\n**Target:** [API name / file path]\n**Framework:** [Express.js / Flask / Gin / Actix / Spring Boot / etc.]\n**Date:** [date]\n**Auditor:** sovereign-api-hardener v1.0.0\n\n### Hardening Score: X/10\n\n| Check | Status | Priority |\n|-------|--------|----------|\n| Rate Limiting | PASS/WARN/FAIL | Critical |\n| Input Validation | PASS/WARN/FAIL | Critical |\n| Authentication | PASS/WARN/FAIL | Critical |\n| Authorization | PASS/WARN/FAIL | Critical |\n| CORS Configuration | PASS/WARN/FAIL | High |\n| Error Handling | PASS/WARN/FAIL | High |\n| Security Headers | PASS/WARN/FAIL | High |\n| Injection Prevention | PASS/WARN/FAIL | Critical |\n| Request Size Limits | PASS/WARN/FAIL | Medium |\n| API Versioning | PASS/WARN/FAIL | Low |\n| Logging & Monitoring | PASS/WARN/FAIL | Medium |\n\n### Findings\n\n[Structured findings with before/after code for each WARN/FAIL]\n\n### Quick Wins (fix in < 30 minutes)\n1. [easiest high-impact fix]\n2. [second easiest]\n3. [third easiest]\n\nFramework-Specific Notes\nExpress.js\nUse helmet for security headers\nUse express-rate-limit with rate-limit-redis for distributed rate limiting\nUse cors package (not manual headers)\nUse express-validator or zod for input validation\nSet trust proxy correctly if behind a reverse proxy\nFlask (Python)\nUse flask-limiter for rate limiting\nUse flask-cors for CORS\nUse pydantic or marshmallow for input validation\nUse flask-talisman for security headers\nSet SESSION_COOKIE_SECURE, SESSION_COOKIE_HTTPONLY, SESSION_COOKIE_SAMESITE\nGin (Go)\nUse gin-contrib/cors for CORS\nUse go-playground/validator for input validation\nSet security headers via middleware\nUse golang.org/x/time/rate for rate limiting\nUse structured logging with slog or zerolog\nFastify (Node.js)\nUse @fastify/rate-limit for rate limiting\nUse @fastify/cors for CORS\nUse @fastify/helmet for security headers\nBuilt-in JSON schema validation\nBuilt-in request body size limits\nInstallation\nclawhub install sovereign-api-hardener\n\nFiles\nFile\tDescription\nSKILL.md\tThis file -- complete hardening checklist with code examples\nEXAMPLES.md\tFull Express.js API before/after hardening\nREADME.md\tQuick start and overview\nLicense\n\nMIT" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/ryudi84/sovereign-api-hardener", "publisherUrl": "https://clawhub.ai/ryudi84/sovereign-api-hardener", "owner": "ryudi84", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/sovereign-api-hardener", "downloadUrl": "https://openagent3.xyz/downloads/sovereign-api-hardener", "agentUrl": "https://openagent3.xyz/skills/sovereign-api-hardener/agent", "manifestUrl": "https://openagent3.xyz/skills/sovereign-api-hardener/agent.json", "briefUrl": "https://openagent3.xyz/skills/sovereign-api-hardener/agent.md" } }