getApiSecurityChecklist
Generate a comprehensive API security checklist to help healthcare application developers implement HIPAA-compliant security measures for protecting protected health information (PHI).
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| schema | Yes |
Implementation Reference
- server.ts:304-322 (handler)The handler function that executes the tool logic, returning a static text response containing the OWASP-based API security checklist.
async () => { return { content: [{ type: 'text', text: ` # General API Security Checklist (OWASP Based) 1. **Authentication:** Implement a standard, strong authentication mechanism (e.g., OAuth 2.0, JWT). Do not roll your own. 2. **Authorization:** Enforce authorization at every endpoint. Check that the authenticated user has the correct permissions to perform the requested action on the requested resource (e.g., User A cannot access User B's data). 3. **Input Validation:** Validate all incoming data for type, format, and length. Reject any invalid data. This protects against injection attacks. 4. **Rate Limiting:** Implement rate limiting to protect against denial-of-service (DoS) and brute-force attacks. 5. **Use HTTPS Everywhere:** All API endpoints must enforce TLS 1.2 or higher. 6. **Proper Error Handling:** Return generic error messages. Do not leak sensitive information like stack traces or internal function names. 7. **Security Headers:** Use security headers like Content-Security-Policy, Strict-Transport-Security, and X-Content-Type-Options. 8. **Logging and Monitoring:** Log all API requests and monitor for suspicious activity, such as high error rates or access attempts from unusual locations. ` }] }; } - server.ts:302-302 (schema)The Zod schema for the tool input, defined as an empty object indicating no parameters are required.
schema: z.object({}), - server.ts:298-323 (registration)The server.tool() call that registers the 'getApiSecurityChecklist' tool, including its description, schema, and inline handler function.
server.tool( 'getApiSecurityChecklist', { description: 'Provides a general-purpose checklist for securing backend APIs, based on OWASP best practices.', schema: z.object({}), }, async () => { return { content: [{ type: 'text', text: ` # General API Security Checklist (OWASP Based) 1. **Authentication:** Implement a standard, strong authentication mechanism (e.g., OAuth 2.0, JWT). Do not roll your own. 2. **Authorization:** Enforce authorization at every endpoint. Check that the authenticated user has the correct permissions to perform the requested action on the requested resource (e.g., User A cannot access User B's data). 3. **Input Validation:** Validate all incoming data for type, format, and length. Reject any invalid data. This protects against injection attacks. 4. **Rate Limiting:** Implement rate limiting to protect against denial-of-service (DoS) and brute-force attacks. 5. **Use HTTPS Everywhere:** All API endpoints must enforce TLS 1.2 or higher. 6. **Proper Error Handling:** Return generic error messages. Do not leak sensitive information like stack traces or internal function names. 7. **Security Headers:** Use security headers like Content-Security-Policy, Strict-Transport-Security, and X-Content-Type-Options. 8. **Logging and Monitoring:** Log all API requests and monitor for suspicious activity, such as high error rates or access attempts from unusual locations. ` }] }; } );