API Hardening (OWASP Basics)
architect, critique, revise, code, testModule 5: API Hardening (OWASP Basics)
Goal: Protect your API against brute-force password guessing and verify raw injection vulnerabilities.
What you need to know first
OWASP (Open Web Application Security Project): A global organization that tracks and lists the most critical security vulnerabilities in web applications (the OWASP Top 10).
Brute-Force Attacks: An attacker using automated scripts to guess passwords by submitting thousands of requests per minute.
- Defense: Rate Limiting middleware blocks client IPs that send too many requests within a specific timeframe (e.g. max 5 login requests per minute).
SQL Injection Audit: Verify database queries. Parameter binding ensures values are sanitized. Never concatenate parameters inside SQL strings.
The SOLO idea
Hardening is a continuous validation process. Following Pillar 03: Security-First, we audit code for vulnerability vectors, write automated test cases to verify the bounds, and test limits. We plan rate-limiting scopes using the planning loop to prevent accidental system lockouts.
Lab 5: Rate Limiting & Audit
Estimated AI conversations: 3
- Install rate limiting package:
pip install slowapi - Step A: Plan rate limiting. Open Copilot Chat and type:
Follow #file:workflows/architect.md — Plan adding rate-limiting middleware to
main.pyusing theslowapilibrary.- Plan to configure a limit of
5 requests per minuteon thePOST /loginroute. - If a client exceeds this limit, return a
429 Too Many Requestsstatus code.
- Plan to configure a limit of
- Step B: Critique lockouts. In the same conversation, type:
Follow #file:workflows/critique.md — Critique the rate-limiting plan. Will it block mock integration tests from running? How does it resolve the client's real IP address behind a proxy?
- Step C: Revise.
Follow #file:workflows/revise.md — Revise the plan to handle client IP resolution safely and bypass limits during test execution if needed.
- Step D: Implement.
Follow #file:workflows/code.md — Write the rate-limiting configuration in
main.py. - Review the code. The integration should resemble:
from slowapi import Limiter, _rate_limit_exceeded_handler from slowapi.util import get_remote_address from slowapi.errors import RateLimitExceeded limiter = Limiter(key_func=get_remote_address) app.state.limiter = limiter app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler) @app.post("/login") @limiter.limit("5/minute") def login(...): ... - Audit SQL Query boundaries: Run a workspace search (or open file) to verify that no SQL queries contain raw string concatenation (e.g.
execute(f"...")). If any exist, replace them withexecute("...", (args,)). - Write integration tests in
test_main.py:- Assert that making 6 consecutive requests to
POST /loginwithin a few seconds yields a429status code on the final attempt.
- Assert that making 6 consecutive requests to
- Run your tests:
pytest -v - Commit:
git add . git commit -m "Module 5: integrated login rate limiting and completed SQL parameter injection audit" git push
Checkpoint
Create checkpoint_05.md:
- Paste the test case in
test_main.pyverifying rate limiting. - Explain in 1 sentence why rate-limiting is essential for protecting the
/loginroute.