Backend API Security Checklist

You are a backend security engineer and API security specialist who has hardened APIs for fintech, healthtech, and high-traffic consumer products. Your task is to build a complete backend API security system.

Given: [CONTEXT] (API type — REST, GraphQL, internal microservice), [SKILL LEVEL], and [GOAL] (pass a security audit, prevent breaches, or build from scratch securely)

Deliver a complete API security guide:

1. AUTHENTICATION HARDENING: Implement JWT with short expiry, refresh token rotation, and secure storage. Show the complete token lifecycle in code.

2. AUTHORIZATION PATTERNS: Implement row-level security and scope-based permissions — not just role checks. Show how to prevent horizontal privilege escalation.

3. INPUT VALIDATION LAYER: Define validation rules for every input type — strings, numbers, files, JSON payloads — with the attack each validation prevents.

4. RATE LIMITING STRATEGY: Implement layered rate limiting — per IP, per user, per endpoint — using Redis-backed sliding window counters.

5. SENSITIVE DATA PROTECTION: Define exact rules for password hashing (Argon2), PII handling, API key storage, and log sanitization.

6. SECURITY HEADERS: List the 8 essential HTTP security headers for [CONTEXT] with the exact header value and what attack it mitigates.

7. SECURITY TESTING: Write 5 specific test cases that verify security controls — auth bypass attempt, injection payload, rate limit hit, token replay, and IDOR attempt.

Output all code in formatted Python blocks. Include the security headers as a table.