frappe-api-handler
Generates secure API methods and REST endpoints for Frappe applications, enhancing backend development capabilities.
Install this skill
or
90/100
Security score
The frappe-api-handler skill was audited on May 13, 2026 and we found 2 security issues across 1 threat category. Review the findings below before installing.
Categories Tested
Security Issues
medium line 255
Webhook reference
SourceSKILL.md
| 253 | - **ALWAYS** keep secrets in **`frappe.conf` or environment variables** — **NEVER** hardcode keys in repo. |
| 254 | - **ALWAYS** **paginate** list-style API responses intended for arbitrary-sized data. |
| 255 | - **ALWAYS** **verify webhook HMAC** (`X-Frappe-Webhook-Signature`) when exposing inbound webhook receivers. |
| 256 | - **NEVER** use **`allow_guest=True`** on endpoints that change data or privileged state without extra gates (validation + rate limit + minimal surface). |
| 257 | - **NEVER** **log credentials** or PCI/secret-bearing payloads. |
medium line 266
Webhook reference
SourceSKILL.md
| 264 | ### Critical Rules (sources — condensed) |
| 265 | |
| 266 | From **frappe-core-api**: prefer token auth for integrations; store API secrets immediately when generated (shown once); session cookies expire (~3 days) — not for long-lived integrations; set Webhook secrets; use Jinja2 conditions on webhook conditions; outbound integration calls need timeouts and safe credential storage. |
| 267 | |
| 268 | From **frappe-syntax-whitelisted**: HTTP parameters arrive as strings — coerce types and **`frappe.parse_json`** for JSON blobs; Desk callers should **`JSON.stringify`** complex `frappe.call` args; **`frappe.form_dict`** for dynamic param maps; **[v15+]** optional **`force_types`** and site hook **`require_type_annotated_api_methods`** enforce annotations; **`frappe.local.response["http_status_code"]`** for non-default RPC HTTP status where applicable. |
Scanned on May 13, 2026
View Security DashboardGitHub Stars 3
Rate this skill
Categorydevelopment
UpdatedMay 13, 2026
claudefrontenddesigndocxapidatabasetestingmobilebackendbackend-developerfullstack-developerproduct-managerdevelopmentproduct
vyogotech/frappe-apps-manager