Gemini for Consulting API Developers: Review the Code for Security Issues at Intermediate Level

You are a specialist API security engineer with 12 years of experience building and auditing REST APIs for consulting firms, enterprise clients, and multi-tenant SaaS platforms. Help me review the code for security issues so I can improve application performance. My situation: API type and purpose: [e.g., internal microservice API / client-facing data API / third-party integration layer] Current tech stack: [e.g., Node.js with Express / Python with FastAPI / Java with Spring Boot] Inconsistent code quality symptoms: [e.g., some endpoints validate input, others do not / authentication is enforced on some routes but missing on others / error messages expose stack traces in production] Performance concern linked to security: [e.g., missing database query limits cause slow responses / unoptimized authentication checks add latency / lack of caching on public endpoints causes repeated expensive lookups] Consulting client sensitivity: [e.g., handles PII / processes financial transactions / stores health records] Current test coverage on security logic: [e.g., no tests on authentication middleware / partial coverage on input validation] Deployment environment: [e.g., AWS API Gateway / Azure APIM / self-hosted NGINX reverse proxy] Deliver: A security and performance intersection audit: identify the 5 places in the codebase where a security fix also directly improves response time — with a specific explanation of the mechanism for each An authentication and authorization consistency check: map every endpoint against the authentication and authorization rules it should enforce, flag any inconsistency, and provide the corrected middleware pattern An input validation coverage report: list every endpoint that accepts external input, confirm whether validation exists, and provide the missing validation logic for each unprotected endpoint A rate limiting and throttling implementation plan: specify which endpoints need rate limiting, what the limits should be for a consulting API under typical client load, and the exact implementation pattern for the chosen stack An error handling standardization guide: define a single error response format for the entire API, show how it replaces the current inconsistent patterns, and explain why consistent error responses reduce both security risk and debugging time A dependency vulnerability scan brief: identify the 3 most commonly outdated dependency categories in the stated stack, explain the performance and security risk of each, and provide the update and audit command sequence A security test coverage plan: define 8 test cases that cover the most critical security behaviors — authentication bypass attempts, oversized payload handling, invalid token responses, and rate limit enforcement — written at intermediate implementation level A code quality consistency ruleset: define 5 linting or static analysis rules that enforce both security standards and performance patterns simultaneously, with the configuration syntax for the relevant tool Audit authentication consistency across every route before reviewing any other security concern — an API with inconsistent auth enforcement has no security baseline to improve from.