Example of a Prompt

Agent: Document Agent

<aside> <img src="notion://custom_emoji/be6005d7-8302-4c8e-93fe-03d0d3d71970/12f3c107-d7a8-8009-8054-007a9b09b0b8" alt="notion://custom_emoji/be6005d7-8302-4c8e-93fe-03d0d3d71970/12f3c107-d7a8-8009-8054-007a9b09b0b8" width="40px" />

Design your security using the AP design document in @API Design Document as a reference, and output it in the format of @API Security Design Document.

</aside>

Template

# Security Measures in API Implementation

## 1. Implementation of Authentication and Authorization

### 1.1 Authentication Processing

#### 1.1.1 Implementation of Authentication Filters/Interceptors

- Overview of filter processing
- Token extraction method
- Token verification process
- Method for setting authentication information

#### 1.1.2 Token Generation and Verification

- Token generation method
- Token verification method
- User information retrieval method
- Token expiration management

### 1.2 Authorization Processing

#### 1.2.1 Role-Based Access Control

- Method for permission checks in controllers
- Permission settings for each endpoint
- Permission control at the method level

#### 1.2.2 Custom Authorization Logic

- Resource ownership verification
- Dynamic permission determination logic
- Context-dependent authorization rules

## 2. Input Validation

### 2.1 Validation in Request DTO

| Validation Item   | Description |
| ----------------- | ----------- |
| Required check    |             |
| Length check      |             |
| Format check      |             |
| Value range check |             |
| Custom validation |             |

### 2.2 Validation Processing in Controllers

- Handling validation errors
- Structure of validation error responses

### 2.3 Cross-Site Scripting (XSS) Countermeasures

- Input sanitization processing
- Output escaping processing
- Implementation of Content Security Policy

## 3. SQL Injection Countermeasures

### 3.1 Use of Parameterized Queries

- Countermeasures in ORM/mapper
- Safe construction of dynamic queries

### 3.2 Input Sanitization

- Escaping special characters
- Detection and countermeasures for SQL keywords

## 4. Error Handling

### 4.1 Implementation of Exception Handlers

- Structure of global exception handler
- Handling of security-related exceptions

### 4.2 Standardization of Error Responses

| Error Response Item | Description |
| ------------------- | ----------- |
| Error code          |             |
| Error message       |             |
| Timestamp           |             |
| Request identifier  |             |

### 4.3 Prevention of Confidential Information Leakage

- Control of stack trace output
- Concealment of internal error information

## 5. Secure Data Processing

### 5.1 Encryption of Confidential Data

- Design of encryption service
- Secure implementation of decryption processing

### 5.2 Password Management

- Implementation of hashing
- Generation and management of salt
- Password verification processing

## 6. Security Header Settings

### 6.1 Setting Response Headers

- List of security headers
- Setting methods

## 7. Implementation of Rate Limiting

### 7.1 Application-Level Rate Limiting

- Design of rate limiting
- Counter implementation
- Processing when limit is exceeded

## 8. Security Logging

### 8.1 Logging of Security Events

- Events to be logged
- Log format and content
- Masking of confidential information in logs

## 9. Implementation of CSRF Tokens

### 9.1 Generation and Verification of CSRF Tokens

- Token generation processing
- Token verification processing
- Verification for state-changing operations

## 10. API Versioning Security

### 10.1 Version Management and Security

- Security measures for each version
- End-of-support processing for old versions

Output Image

# API Security Design

## 1. Authentication and Authorization Design

### 1.1 Authentication Process

- All APIs require authentication using JWT (JSON Web Token).
- Tokens are received via request headers and validated by an interceptor.
- Tokens have an expiration period; if expired, a 401 error is returned.

### 1.2 Authorization Process

- Only logged-in users can operate APIs to modify their own membership information.
- To prevent unauthorized modification of others' information, the user ID in the token is checked against the target API resource ID.

## 2. Input Validation

- Controllers check email format and uniqueness, passwords (minimum 8 characters, mix of letters, numbers, and symbols), and profile image extension/size restrictions (jpg/png, under 2MB).
- Validation errors are returned in a unified structure (status, code, message, details).

## 3. SQL Injection and XSS Countermeasures

- Only parameterized queries are used. Even for dynamic queries, ORM or mappers are used for safe processing.
- All API inputs are sanitized, and responses are escaped as needed.

## 4. Error Handling

- Global exception handlers manage exceptions centrally.
- All error responses follow a standardized format with "status", "code", "message", and "details".
- Sensitive information such as stack traces is not exposed externally.

## 5. Session and Password Management

- Passwords are stored as hashes (with unique salt each time); plain text storage in the database is prohibited.
- Session information is managed via tokens. When tokens are invalidated or reissued, old tokens are disabled.

## 6. Rate Limiting

- Application rate limiting is set to 100 requests per user per hour.
- If the limit is exceeded, an appropriate error response (e.g., 429) is returned.

## 7. Security Headers

- The following headers are always included in API responses:
  - Content-Security-Policy
  - X-Frame-Options
  - X-XSS-Protection
  - Strict-Transport-Security

## 8. Security Logging

- All security events such as login failures, permission violations, rate limit exceedances, and detection of invalid data are logged.
- Logs include request identifiers, timestamps, event types, and user IDs, with personal information masked.

## 9. CSRF Countermeasures

- CSRF token verification is implemented for state-changing endpoints (mainly for web clients).

## 10. Security Management by API Version

- Authentication methods and authorization logic are managed for each version.
- When support for an old version ends, access from affected clients is denied and migration notifications are sent.

***

This "API Security Design" was created based on both the Membership Information Update API Specification (email address, password, profile image changes) and its implementation security countermeasure documentation, following the structure of @document.74991.