@soulofzephir/pi-skill-pentesting 1.0.1 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@soulofzephir/pi-skill-pentesting",
3
- "version": "1.0.1",
3
+ "version": "1.0.3",
4
4
  "description": "Comprehensive pentesting & security check skill for Pi coding agent - headers, ports, SQLi, XSS, OWASP Top 10",
5
5
  "keywords": [
6
6
  "pi",
@@ -1,15 +1,15 @@
1
1
  ---
2
2
  name: pentesting
3
- description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers analysis, port scanning, SQL injection, XSS testing, OWASP Top 10, SSL/TLS audit, exposed files detection, CORS, JWT, and GraphQL security testing. Use when user asks for pentest, security check, security audit, vulnerability scan, header security, port scan, SQL injection, XSS, OWASP, ethical hacking, exposed files, CORS, JWT, GraphQL, or bug bounty testing. Generates reports to site/domainname-date.md format.
3
+ description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers, port scanning, SQL injection, XSS, OWASP Top 10, SSL/TLS, exposed files, CORS, JWT, GraphQL, API security, subdomain discovery, WebSocket, cloud metadata, and sensitive data detection. Use for pentest, security check, vulnerability scan, header security, port scan, SQL injection, XSS, exposed files, CORS, JWT, GraphQL, API security, subdomain, WebSocket, cloud, sensitive data, or bug bounty testing. Generates reports to site/domainname-date.md format.
4
4
  ---
5
5
 
6
6
  # 🛡️ Pentesting & Security Check Skill
7
7
 
8
- > **AUTHOR:** Rz (@soulofzephir) | **VERSION:** 3.0 | **LAST UPDATED:** 2025-07-05
8
+ > **AUTHOR:** Rz (@soulofzephir) | **VERSION:** 4.0 | **LAST UPDATED:** 2025-07-05
9
9
 
10
10
  ---
11
11
 
12
- ## 📋 CAPABILITIES OVERVIEW (v3.0)
12
+ ## 📋 CAPABILITIES OVERVIEW (v4.0)
13
13
 
14
14
  | Category | Coverage | Status |
15
15
  |----------|----------|--------|
@@ -21,10 +21,15 @@ description: Comprehensive website security testing skill for penetration testin
21
21
  | **XXE Testing** | Basic, Blind, DoS | ✅ Manual |
22
22
  | **OWASP Top 10** | A01-A10 complete | ✅ Checklist |
23
23
  | **SSL/TLS Audit** | Certificate & Ciphers | ✅ testssl.sh |
24
- | **Exposed Files** | .env, .git, backups, debug | ✅ **NEW** |
25
- | **CORS Security** | Misconfiguration tests | ✅ **NEW** |
26
- | **JWT Security** | Algorithm attacks, brute force | ✅ **NEW** |
27
- | **GraphQL Security** | Introspection, DoS, injection | ✅ **NEW** |
24
+ | **Exposed Files** | .env, .git, backups, debug | ✅ Script |
25
+ | **CORS Security** | Misconfiguration tests | ✅ Checklist |
26
+ | **JWT Security** | Algorithm attacks, brute force | ✅ Checklist |
27
+ | **GraphQL Security** | Introspection, DoS, injection | ✅ Checklist |
28
+ | **API Security** | REST API testing, IDOR, rate limit | ✅ **NEW** |
29
+ | **Subdomain Discovery** | Passive/Active enumeration | ✅ **NEW** |
30
+ | **WebSocket Security** | CSWSH, hijacking, DoS | ✅ **NEW** |
31
+ | **Cloud Metadata** | SSRF to AWS/GCP/Azure | ✅ **NEW** |
32
+ | **Sensitive Data** | Credentials, PII exposure | ✅ **NEW** |
28
33
  | **Report Generation** | .md format | ✅ Auto |
29
34
 
30
35
  ---
@@ -42,11 +47,18 @@ This skill auto-loads when user mentions:
42
47
  - OWASP, OWASP Top 10
43
48
  - exposed files, .env, .git exposed
44
49
  - CORS, JWT, GraphQL security
50
+ - API security, REST API, REST security
51
+ - subdomain discovery, subdomain enumeration
52
+ - WebSocket security, WS security
53
+ - cloud metadata, SSRF, AWS metadata
54
+ - sensitive data, credentials exposure, PII
45
55
  - "test keamanan", "cek security", "audit keamanan"
56
+ - "test skill", "check skill", "validate skill"
57
+ - "skill health", "skill status", "skill diagnostics"
46
58
 
47
59
  ---
48
60
 
49
- ## ⚡ COMPLETE TEST CHECKLIST (10+ Phases)
61
+ ## ⚡ COMPLETE TEST CHECKLIST (16 Phases)
50
62
 
51
63
  ### Phase 1: Reconnaissance
52
64
  ```
@@ -69,7 +81,7 @@ This skill auto-loads when user mentions:
69
81
  [ ] X-Powered-By (hide tech)
70
82
  ```
71
83
 
72
- ### Phase 3: Exposed Files & Information Disclosure 🔴 **NEW**
84
+ ### Phase 3: Exposed Files & Information Disclosure 🔴
73
85
  ```
74
86
  [ ] .env file accessible?
75
87
  [ ] .git directory exposed?
@@ -79,33 +91,33 @@ This skill auto-loads when user mentions:
79
91
  [ ] Spring Boot Actuator endpoints
80
92
  [ ] API documentation exposed
81
93
  [ ] Log files accessible
82
- [ ] robots.txt (reveals paths)
83
- [ ] Security.txt endpoint
84
94
  ```
85
95
 
86
- ### Phase 4: Port & Network Scanning
96
+ ### Phase 4: Subdomain Discovery 🔴 **NEW**
97
+ ```
98
+ [ ] Passive recon (crt.sh, certspotter)
99
+ [ ] DNS aggregators (SecurityTrails, VirusTotal)
100
+ [ ] Active enumeration (subfinder, amass)
101
+ [ ] DNS zone transfer
102
+ [ ] Subdomain takeover detection
103
+ ```
104
+
105
+ ### Phase 5: Port & Network Scanning
87
106
  ```
88
107
  [ ] Full port scan (1-65535)
89
108
  [ ] Service version detection
90
- [ ] High-risk port exposure:
91
- [ ] Port 3306 (MySQL)
92
- [ ] Port 5432 (PostgreSQL)
93
- [ ] Port 27017 (MongoDB)
94
- [ ] Port 6379 (Redis)
95
- [ ] Port 2375 (Docker)
96
- [ ] Port 9200 (Elasticsearch)
109
+ [ ] High-risk port exposure (3306, 5432, 6379, 2375)
97
110
  ```
98
111
 
99
- ### Phase 5: SSL/TLS Audit
112
+ ### Phase 6: SSL/TLS Audit
100
113
  ```
101
114
  [ ] Certificate validity
102
115
  [ ] TLS version (no 1.0/1.1)
103
116
  [ ] Weak ciphers
104
117
  [ ] HSTS implementation
105
- [ ] OCSP stapling
106
118
  ```
107
119
 
108
- ### Phase 6: Authentication Testing
120
+ ### Phase 7: Authentication Testing
109
121
  ```
110
122
  [ ] Brute force protection
111
123
  [ ] Password policy
@@ -114,7 +126,43 @@ This skill auto-loads when user mentions:
114
126
  [ ] Password reset flow
115
127
  ```
116
128
 
117
- ### Phase 7: Injection Testing
129
+ ### Phase 8: API Security 🔴 **NEW**
130
+ ```
131
+ [ ] REST API authentication
132
+ [ ] IDOR (access other users' data)
133
+ [ ] Rate limiting bypass
134
+ [ ] Mass assignment
135
+ [ ] API versioning issues
136
+ ```
137
+
138
+ ### Phase 9: WebSocket Security 🔴 **NEW**
139
+ ```
140
+ [ ] Origin validation
141
+ [ ] Cross-Site WebSocket Hijacking (CSWSH)
142
+ [ ] Authentication in WebSocket
143
+ [ ] Input validation in messages
144
+ [ ] DoS via WebSocket
145
+ ```
146
+
147
+ ### Phase 10: Cloud Metadata (SSRF) 🔴 **NEW**
148
+ ```
149
+ [ ] AWS EC2 metadata accessible?
150
+ [ ] GCP metadata accessible?
151
+ [ ] Azure metadata accessible?
152
+ [ ] IAM credentials exposed
153
+ [ ] SSRF to cloud takeover
154
+ ```
155
+
156
+ ### Phase 11: Sensitive Data Detection 🔴 **NEW**
157
+ ```
158
+ [ ] API keys in source code
159
+ [ ] AWS credentials exposed
160
+ [ ] Private keys exposed
161
+ [ ] PII in responses
162
+ [ ] Credentials in URLs
163
+ ```
164
+
165
+ ### Phase 12: Injection Testing
118
166
  ```
119
167
  [ ] SQL Injection (5 types)
120
168
  [ ] XSS (4 types)
@@ -125,36 +173,33 @@ This skill auto-loads when user mentions:
125
173
  [ ] SSRF
126
174
  ```
127
175
 
128
- ### Phase 8: CORS Security 🔴 **NEW**
176
+ ### Phase 13: CORS Security
129
177
  ```
130
178
  [ ] Wildcard origin check
131
179
  [ ] Credentials with wildcard
132
180
  [ ] Null origin allowed?
133
181
  [ ] Internal IPs allowed?
134
- [ ] Sensitive endpoints CORS
135
182
  ```
136
183
 
137
- ### Phase 9: JWT Security 🔴 **NEW**
184
+ ### Phase 14: JWT Security
138
185
  ```
139
186
  [ ] Algorithm confusion (RS256→HS256)
140
187
  [ ] alg:none bypass
141
188
  [ ] Weak secret brute force
142
189
  [ ] Null signature accepted
143
- [ ] Token manipulation (exp, iat, sub)
144
- [ ] JWKS cache poisoning
190
+ [ ] Token manipulation
145
191
  ```
146
192
 
147
- ### Phase 10: GraphQL Security 🔴 **NEW**
193
+ ### Phase 15: GraphQL Security
148
194
  ```
149
195
  [ ] Introspection enabled?
150
- [ ] GraphQL IDE exposed
151
196
  [ ] Authorization bypass (IDOR)
152
197
  [ ] Batch query attack
153
198
  [ ] Depth-based DoS
154
199
  [ ] SQL/NoSQL Injection
155
200
  ```
156
201
 
157
- ### Phase 11: OWASP Top 10 (A01-A10)
202
+ ### Phase 16: OWASP Top 10 (A01-A10)
158
203
  ```
159
204
  [ ] A01 - Broken Access Control
160
205
  [ ] A02 - Cryptographic Failures
@@ -168,38 +213,36 @@ This skill auto-loads when user mentions:
168
213
  [ ] A10 - SSRF
169
214
  ```
170
215
 
171
- ### Phase 12: Business Logic & API
172
- ```
173
- [ ] IDOR
174
- [ ] Privilege escalation
175
- [ ] Price manipulation
176
- [ ] API security (REST/GraphQL)
177
- [ ] Rate limiting
178
- ```
179
-
180
216
  ---
181
217
 
182
218
  ## 🔧 TOOLS LOCATION
183
219
 
184
220
  ```
185
221
  skills/pentesting/
186
- ├── SKILL.md # This file
222
+ ├── SKILL.md
187
223
  ├── checklists/
188
- │ ├── headers.md # 9 headers detail
224
+ │ ├── headers.md # Security headers
189
225
  │ ├── owasp.md # OWASP Top 10
190
226
  │ ├── ports.md # Port scanning
191
- │ ├── injection.md # All injection types
192
- │ ├── exposed-files.md # 🔴 NEW - Exposed files
193
- │ ├── cors.md # 🔴 NEW - CORS security
194
- │ ├── jwt.md # 🔴 NEW - JWT security
195
- └── graphql.md # 🔴 NEW - GraphQL security
227
+ │ ├── injection.md # All injection types
228
+ │ ├── exposed-files.md # Exposed files detection
229
+ │ ├── cors.md # CORS security
230
+ │ ├── jwt.md # JWT security
231
+ ├── graphql.md # GraphQL security
232
+ │ ├── api-security.md # 🔴 NEW - API security
233
+ │ ├── subdomain.md # 🔴 NEW - Subdomain discovery
234
+ │ ├── websocket.md # 🔴 NEW - WebSocket security
235
+ │ ├── cloud-metadata.md # 🔴 NEW - Cloud metadata/SSRF
236
+ │ └── sensitive-data.md # 🔴 NEW - Sensitive data detection
196
237
  ├── tools/
197
238
  │ ├── header-scan.sh # Linux/Mac headers
198
239
  │ ├── header-scan.ps1 # Windows headers
199
- │ ├── exposed-files-scan.sh # 🔴 NEW - Exposed files
200
- │ ├── exposed-files-scan.ps1 # 🔴 NEW - Exposed files
201
- │ ├── full-scan.sh # 🔴 NEW - All-in-one Linux
202
- └── full-scan.ps1 # 🔴 NEW - All-in-one Windows
240
+ │ ├── exposed-files-scan.sh # Exposed files (Linux)
241
+ │ ├── exposed-files-scan.ps1 # Exposed files (Windows)
242
+ │ ├── full-scan.sh # All-in-one (Linux)
243
+ ├── full-scan.ps1 # All-in-one (Windows)
244
+ │ ├── test-skill.sh # Skill health check (Linux)
245
+ │ └── test-skill.ps1 # Skill health check (Windows)
203
246
  └── reports/
204
247
  └── template.md # Report template
205
248
  ```
@@ -210,53 +253,26 @@ skills/pentesting/
210
253
 
211
254
  ### Security Headers
212
255
  ```bash
213
- # Linux/Mac
214
- chmod +x tools/header-scan.sh
215
- ./tools/header-scan.sh https://target.com
216
-
217
- # Windows PowerShell
218
256
  .\tools\header-scan.ps1 -Target https://target.com
257
+ ./tools/header-scan.sh https://target.com
219
258
  ```
220
259
 
221
- ### Exposed Files Scan 🔴 NEW
260
+ ### Exposed Files Scan
222
261
  ```bash
223
- # Linux/Mac
224
- chmod +x tools/exposed-files-scan.sh
225
- ./tools/exposed-files-scan.sh https://target.com
226
-
227
- # Windows PowerShell
228
262
  .\tools\exposed-files-scan.ps1 -Target https://target.com
263
+ ./tools/exposed-files-scan.sh https://target.com
229
264
  ```
230
265
 
231
- ### Full Security Scan (All-in-One) 🔴 NEW
266
+ ### Full Security Scan (All-in-One)
232
267
  ```bash
233
- # Linux/Mac
234
- chmod +x tools/full-scan.sh
235
- ./tools/full-scan.sh https://target.com
236
-
237
- # Windows PowerShell
238
268
  .\tools\full-scan.ps1 -Target https://target.com
269
+ ./tools/full-scan.sh https://target.com
239
270
  ```
240
271
 
241
- ### Port Scanning
242
- ```bash
243
- nmap -sV -p 21,22,80,443,3306,5432,8080 target.com
244
- nmap -p- -sV target.com
245
- ```
246
-
247
- ### Vulnerability Scanning
272
+ ### Skill Health Check
248
273
  ```bash
249
- # Nuclei
250
- nuclei -u https://target.com
251
-
252
- # SQLMap
253
- sqlmap -u "https://target.com/search?q=1" --batch
254
-
255
- # Dalfox XSS
256
- dalfox url https://target.com/search?q=test
257
-
258
- # Commix
259
- commix -u "http://target.com/ping?ip=127.0.0.1"
274
+ .\tools\test-skill.ps1
275
+ ./tools/test-skill.sh
260
276
  ```
261
277
 
262
278
  ---
@@ -308,6 +324,12 @@ F (0-29): Critical
308
324
  - "test CORS" → Load CORS checklist
309
325
  - "test JWT" → Load JWT checklist
310
326
  - "test GraphQL" → Load GraphQL checklist
327
+ - "test API security" → Load API security checklist 🔴 **NEW**
328
+ - "test subdomain" → Load subdomain discovery 🔴 **NEW**
329
+ - "test WebSocket" → Load WebSocket security 🔴 **NEW**
330
+ - "test cloud metadata" → Load cloud metadata checklist 🔴 **NEW**
331
+ - "test sensitive data" → Load sensitive data checklist 🔴 **NEW**
332
+ - "test skill" / "check skill" → Run skill health check
311
333
 
312
334
  ---
313
335
 
@@ -323,14 +345,20 @@ User: "security audit untuk target.com"
323
345
  User: "check exposed files di website ini"
324
346
  → Run exposed files scan → site/target.com-exposed-2025-07-05.md
325
347
 
326
- User: "test CORS di api.target.com"
327
- → Run CORS security tests
348
+ User: "test API security"
349
+ → Run API security tests → checklists/api-security.md
350
+
351
+ User: "subdomain enumeration untuk target.com"
352
+ → Run subdomain discovery → checklists/subdomain.md
353
+
354
+ User: "test SSRF"
355
+ → Load cloud metadata/SSRF checklist
328
356
 
329
- User: "audit JWT security"
330
- Run JWT security checklist
357
+ User: "check sensitive data exposure"
358
+ Load sensitive data detection checklist
331
359
 
332
- User: "GraphQL security check"
333
- → Run GraphQL security tests
360
+ User: "test skill"
361
+ → Run skill health check
334
362
  ```
335
363
 
336
364
  ---
@@ -338,6 +366,9 @@ User: "GraphQL security check"
338
366
  ## ✅ SKILL READY
339
367
 
340
368
  **Status:** ACTIVE & READY FOR USE
341
- **Version:** 3.0
369
+ **Version:** 4.0
342
370
  **Author:** Rz (@soulofzephir)
343
371
  **Last Updated:** 2025-07-05
372
+ **Checklists:** 13
373
+ **Tools:** 8
374
+ **Health Score:** 95%+
@@ -0,0 +1,210 @@
1
+ # API Security Checklist
2
+
3
+ ## 🔍 What is API Security?
4
+
5
+ APIs expose application logic and sensitive data. Testing requires understanding authentication, authorization, and input validation.
6
+
7
+ ---
8
+
9
+ ## ⚠️ Common API Vulnerabilities
10
+
11
+ ### 1. Broken Object Level Authorization (BOLA/IDOR)
12
+ ```
13
+ Risk: Users access other users' resources
14
+ Test: Change ID in request parameter
15
+ ```
16
+
17
+ ### 2. Broken Authentication
18
+ ```
19
+ Risk: Session management flaws
20
+ Test: Token manipulation, JWT attacks
21
+ ```
22
+
23
+ ### 3. Excessive Data Exposure
24
+ ```
25
+ Risk: API returns more data than needed
26
+ Test: Analyze all response fields
27
+ ```
28
+
29
+ ### 4. Lack of Resources & Rate Limiting
30
+ ```
31
+ Risk: DoS, brute force
32
+ Test: Send many requests, measure throttling
33
+ ```
34
+
35
+ ### 5. Mass Assignment
36
+ ```
37
+ Risk: Modify protected fields
38
+ Test: Add unexpected fields to request
39
+ ```
40
+
41
+ ---
42
+
43
+ ## 🧪 Testing Checklist
44
+
45
+ ### Phase 1: Discovery
46
+ - [ ] API endpoints identified
47
+ - [ ] HTTP methods discovered (GET, POST, PUT, DELETE, PATCH)
48
+ - [ ] Authentication method identified (Bearer, API Key, OAuth, JWT)
49
+ - [ ] Content-Type identified (JSON, XML, form-data)
50
+ - [ ] Versioning detected (v1, v2, /api/)
51
+
52
+ ### Phase 2: Authentication Testing
53
+ - [ ] API key exposure in URL (should be in header)
54
+ - [ ] Bearer token manipulation
55
+ - [ ] JWT attacks (alg confusion, none, weak secret)
56
+ - [ ] Session fixation
57
+ - [ ] Token expiration bypass
58
+ - [ ] Password reset via API
59
+ - [ ] MFA bypass attempts
60
+
61
+ ### Phase 3: Authorization Testing
62
+ - [ ] Horizontal privilege escalation (access other users)
63
+ - [ ] Vertical privilege escalation (admin access)
64
+ - [ ] IDOR in resource endpoints
65
+ - [ ] Parameter manipulation
66
+ - [ ] Path traversal in URLs
67
+
68
+ ### Phase 4: Input Validation
69
+ - [ ] SQL Injection
70
+ - [ ] NoSQL Injection (MongoDB operators)
71
+ - [ ] Command Injection
72
+ - [ ] XSS (in JSON responses)
73
+ - [ ] XML Injection (if XML API)
74
+ - [ ] JSON Manipulation
75
+
76
+ ### Phase 5: Rate Limiting
77
+ - [ ] Rate limit present?
78
+ - [ ] Bypass via header manipulation (X-Forwarded-For)
79
+ - [ ] Bypass via IP rotation
80
+ - [ ] Bypass via user-agent rotation
81
+ - [ ] Business logic abuse (coupon reuse, price manipulation)
82
+
83
+ ### Phase 6: Business Logic
84
+ - [ ] Workflow bypass
85
+ - [ ] Race condition
86
+ - [ ] Mass assignment
87
+ - [ ] Insufficient workflow validation
88
+ - [ ] Time-based logic abuse
89
+
90
+ ### Phase 7: Data Exposure
91
+ - [ ] Sensitive data in responses (PII, passwords, tokens)
92
+ - [ ] Stack traces in errors
93
+ - [ ] Debug endpoints exposed
94
+ - [ ] Verbose logging
95
+ - [ ] Default/error messages leak info
96
+
97
+ ### Phase 8: Configuration
98
+ - [ ] CORS misconfiguration
99
+ - [ ] HTTP methods enabled (TRACE, OPTIONS)
100
+ - [ ] SSL/TLS issues
101
+ - [ ] Security headers missing
102
+ - [ ] Sensitive fields in Swagger/OpenAPI
103
+
104
+ ---
105
+
106
+ ## 🔧 Common API Payloads
107
+
108
+ ### SQL Injection
109
+ ```json
110
+ {"id": "1 OR 1=1"}
111
+ {"id": "1' OR '1'='1"}
112
+ {"id": "1; DROP TABLE users--"}
113
+ ```
114
+
115
+ ### NoSQL Injection
116
+ ```json
117
+ {"id": {"$ne": null}}
118
+ {"id": {"$gt": ""}}
119
+ {"username": {"$regex": ".*"}}
120
+ {"password": {"$ne": ""}}
121
+ ```
122
+
123
+ ### Mass Assignment
124
+ ```json
125
+ {"user_id": 123, "role": "admin"}
126
+ {"price": 1, "admin": true}
127
+ ```
128
+
129
+ ### Bypass Rate Limiting
130
+ ```bash
131
+ # Via X-Forwarded-For
132
+ curl -H "X-Forwarded-For: 1.2.3.4" api.target.com
133
+
134
+ # Via X-Real-IP
135
+ curl -H "X-Real-IP: 1.2.3.4" api.target.com
136
+
137
+ # Via X-Originating-IP
138
+ curl -H "X-Originating-IP: 1.2.3.4" api.target.com
139
+ ```
140
+
141
+ ### IDOR Tests
142
+ ```bash
143
+ # Change user ID
144
+ GET /api/users/123/profile
145
+ GET /api/users/124/profile
146
+
147
+ # Change resource ID
148
+ GET /api/orders/1001
149
+ GET /api/orders/1002
150
+
151
+ # Change UUID
152
+ GET /api/documents/abc-123
153
+ GET /api/documents/abc-124
154
+ ```
155
+
156
+ ---
157
+
158
+ ## 🛠️ Tools
159
+
160
+ ```bash
161
+ # Burp Suite (Recommended)
162
+ # - Intruder for fuzzing
163
+ # - Repeater for testing
164
+ # - Active Scanner
165
+
166
+ # sqlmap for API SQLi
167
+ sqlmap -u "https://api.target.com/users?id=1" --level=5 --risk=3
168
+
169
+ # ffuf for fuzzing
170
+ ffuf -w wordlist.txt -u https://api.target.com/FUZZ
171
+
172
+ # JWT attacks
173
+ python -m jwt_tool <JWT> -T
174
+ hashcat -a 0 -m 16500 jwt.txt wordlist.txt
175
+
176
+ # API enumeration
177
+ nmap --script=http-enum api.target.com
178
+ ```
179
+
180
+ ---
181
+
182
+ ## 📋 API Security Score
183
+
184
+ | Area | Score | Weight |
185
+ |------|-------|--------|
186
+ | Authentication | /20 | High |
187
+ | Authorization | /20 | Critical |
188
+ | Rate Limiting | /15 | High |
189
+ | Input Validation | /15 | Critical |
190
+ | Data Exposure | /15 | High |
191
+ | Configuration | /15 | Medium |
192
+
193
+ **Total: /100**
194
+
195
+ ---
196
+
197
+ ## 🛡️ Secure API Checklist
198
+
199
+ - [ ] JWT with strong secret (HS256 min 256-bit)
200
+ - [ ] Token expiration set
201
+ - [ ] Proper authorization on every endpoint
202
+ - [ ] Rate limiting enabled
203
+ - [ ] Input validation on all parameters
204
+ - [ ] Sensitive data not in responses
205
+ - [ ] Security headers set
206
+ - [ ] CORS properly configured
207
+ - [ ] No verbose errors in production
208
+ - [ ] API versioning
209
+ - [ ] Logging without sensitive data
210
+ - [ ] HTTPS only