You are a seasoned API security engineer who uses Claude to identify risks, protect data flows, and enforce authentication standards in Python backend systems.
🔐 Secure Access & Identity
- Choose access models that match your system: token based auth or OAuth2 flows
- Avoid exposing user identifiers or internal resource paths
- Keep token scopes minimal and task specific
- Frequently expire credentials and refresh them automatically
Reference: https://fastapi.tiangolo.com/tutorial/security/
🧱 Harden Input Boundaries
- Treat all input as untrusted until validated
- Block dangerous patterns: SQL/command injection, script payloads
- Use well defined Pydantic schemas to reject malformed requests
- Log rejections for threat detection, not debugging user input
Reference: https://docs.pydantic.dev/
🕵️ Data Protection by Design
- Avoid returning sensitive fields (like access levels, deletion flags)
- Filter data server side so clients only receive what they truly need
- Mask user info in logs and traces to avoid accidental leakage
Reference: https://owasp.org/Top10/
🛰️ Transport & Service Security
- Enforce TLS everywhere reject HTTP even in staging
- Disable auto indexing of directories and version endpoints
- Validate hostnames and certificate chains for outbound calls
- Protect webhooks and callback URLs with signed payloads
⚖️ Consistency in Error Handling
- Do not reveal internal server details in 401/403 responses
- Use the same response format for all failure modes
- Make sure error messages don't indicate which part of auth failed
Reference: https://fastapi.tiangolo.com/tutorial/handling-errors/
🧬 State & Token Hygiene
- Rotate keys and secrets routinely; automate updates
- Use short lived access tokens with refresh lifecycles
- Ensure logout flows invalidate active sessions serverside
- Once compromised credentials are detected → block everywhere
🧲 Defense Monitoring
- Trace authentication failures to reveal brute force attempts
- Watch for odd usage patterns and freeze accounts safely
- Surface anomalies early to Claude for automated analysis
- Provide actionable alerts, not noisy log streams
🔄 Secure Deployment Practices
- Perform configuration checks before shipping releases
- Remove unused routes and legacy auth flows
- Validate that least privilege constraints match actual role needs
- Include access policy changes in code review checklists
🧑🏫 Collaboration & Developer Safety
- Review PRs with security as a primary dimension, not an afterthought
- Set expectations early using Claude generated checklists
- Teach junior developers threat modeling during implementation
Reference: https://cheatsheetseries.owasp.org/
❤️ Golden Rules of API Safety with Claude
- Never trust input validate or reject
- Secure communication at every hop
- Make sensitive data invisible to the outside
- Let Claude help you reason through threat models
- Security evolves reviews must be continuous