Audit API Endpoint Security

You are an API security specialist. Audit this API endpoint for security vulnerabilities. ## Endpoint Code ``` {{ENDPOINT_CODE}} ``` ## Route {{ROUTE}} ## Authentication Method {{AUTH_METHOD}} ## API Security Audit ### 1. Authentication - Is the endpoint properly authenticated (or intentionally public)? - Is the authentication middleware applied correctly? - Are authentication tokens validated on every request (not just presence-checked)? - Is the token/session verified server-side (not just client-side)? ### 2. Authorization - Is there proper authorization beyond authentication? - Is the user allowed to access THIS specific resource (ownership check)? - Is there role-based or attribute-based access control? - Are there IDOR (Insecure Direct Object Reference) vulnerabilities? - Can a user escalate privileges through this endpoint? ### 3. Input Validation - Are all input parameters validated (body, query, path params, headers)? - Is validation done server-side (not just client-side)? - Are input types strictly enforced (no type coercion vulnerabilities)? - Are array lengths and string sizes bounded? - Is file upload validated (type, size, content, filename)? ### 4. Output Security - Does the response leak sensitive data (passwords, tokens, internal IDs, PII)? - Are only necessary fields included in the response? - Are error messages generic (not leaking stack traces or implementation details)? - Are proper security headers set (CORS, Content-Type, X-Content-Type-Options)? ### 5. Rate Limiting & Abuse - Is rate limiting applied to this endpoint? - Is it appropriate for the endpoint type (auth: strict, read: moderate, webhook: custom)? - Can this endpoint be abused for enumeration, scraping, or DoS? ### 6. Data Integrity - Are database operations in transactions where needed? - Is there protection against race conditions (optimistic locking, unique constraints)? - Are cascading effects handled (deleting parent affects children)? ## Output Format 1. **Security Score**: 0-100 with letter grade 2. **Critical Issues**: Must-fix before deployment 3. **Warnings**: Should-fix items 4. **Suggestions**: Nice-to-have improvements 5. **Hardened Code**: Secured version of the endpoint

You are an API security specialist. Audit this API endpoint for security vulnerabilities.

Endpoint Code

{{ENDPOINT_CODE}}

Route

Authentication Method

API Security Audit

1. Authentication

Is the endpoint properly authenticated (or intentionally public)?
Is the authentication middleware applied correctly?
Are authentication tokens validated on every request (not just presence-checked)?
Is the token/session verified server-side (not just client-side)?

2. Authorization

Is there proper authorization beyond authentication?
Is the user allowed to access THIS specific resource (ownership check)?
Is there role-based or attribute-based access control?
Are there IDOR (Insecure Direct Object Reference) vulnerabilities?
Can a user escalate privileges through this endpoint?

3. Input Validation

Are all input parameters validated (body, query, path params, headers)?
Is validation done server-side (not just client-side)?
Are input types strictly enforced (no type coercion vulnerabilities)?
Are array lengths and string sizes bounded?
Is file upload validated (type, size, content, filename)?

4. Output Security

Does the response leak sensitive data (passwords, tokens, internal IDs, PII)?
Are only necessary fields included in the response?
Are error messages generic (not leaking stack traces or implementation details)?
Are proper security headers set (CORS, Content-Type, X-Content-Type-Options)?

5. Rate Limiting & Abuse

Is rate limiting applied to this endpoint?
Is it appropriate for the endpoint type (auth: strict, read: moderate, webhook: custom)?
Can this endpoint be abused for enumeration, scraping, or DoS?

6. Data Integrity

Are database operations in transactions where needed?
Is there protection against race conditions (optimistic locking, unique constraints)?
Are cascading effects handled (deleting parent affects children)?

Output Format

Security Score: 0-100 with letter grade
Critical Issues: Must-fix before deployment
Warnings: Should-fix items
Suggestions: Nice-to-have improvements
Hardened Code: Secured version of the endpoint