api-securitylisted

# API Security ## When to use This skill is the API-specific lens: REST and GraphQL endpoints, their auth, their contract, their abuse surface. It complements `security-review` when the code is an API layer, and it is invoked by framework skills (`django-security`, `spring-security`, `rails-security`, `nextjs-security`) for the API-specific rules. Triggers on: - A question like "review this API for security issues", "is the auth on this endpoint OK", "do we cover OWASP API Top 10", "do we have enough rate-limiting", "how do we handle CORS". - New or changed OpenAPI/Swagger/GraphQL schemas. - Code exposed as an external API: REST controllers, GraphQL resolvers, gRPC handlers, webhook endpoints, service-mesh routes. - A PR touching auth middleware, rate-limiting, schema validation, or CORS config. - A handoff from `security-review` or a framework skill that points to API-specific depth. ### When NOT (handoff) - Framework-specific API config (Django REST Framework, Spring MVC, Rails API-only, Next.js route handlers) → the relevant framework skill first. They know their own defaults and foot-guns better. - Pure code-pattern question without API context ("is this query safe") → `secure-coding`. - Active API pentesting with exploitation → `web-exploit-triage` and `payload-crafter`. - Dependency vulns in API libraries → `cve-triage`. - API-gateway config in the cloud (WAF rules, AWS API Gateway resource policies) → `iac-security`. - Runtime WAF tuning on existing production is