api-hardening

# API hardening Defense-in-depth patterns for protecting APIs from abuse, injection attacks, and data leakage. Recipes are oriented around the OWASP API Security Top 10:2023 and were last verified on 2026-05-08. ## Step 0: Research the current security landscape (do this first) > Security knowledge ages on a 6-12 month half-life. The recipes below were last verified on 2026-05-08; they may be stale by the time you read this. Before applying any pattern in this skill, fan out research scoped to the API surface or web defense being added so the recipes are interpreted against current authoritative sources, not against this file's snapshot. ### Default-on, with a documented skip Run the 4-angle research below by default. Skip ONLY when ALL of these hold: - (a) You ran this same skill on this same primitive within the last 4 hours of the current session, - (b) That prior research surfaced no urgent advisories for the API surface or web defense being added, - (c) You log a one-line `Research skipped because <reason>` note in your response. "I think I know" / "moving fast" / "user wants this done quickly" / "already familiar" are NOT valid skip reasons. The whole point of this preamble is that future-you should not trust this skill body's defaults until current state is checked. ### Fan out 4 subagents in parallel Each subagent returns ≤300 words of bullets with citations. Dispatch all 4 in a single message so they run concurrently. **Angle 1 — Authoritative standards.** ...