Context A production Express API is preparing for a security audit and must address the most critical OWASP API vulnerabilities. The Problem The API has no protection against injection, broken authentication, security misconfiguration, or mass assignment attacks. Constraints Address at minimum: SQL injection prevention (parameterized queries), mass assignment (explicit field whitelisting), security headers (helmet), brute force protection on auth endpoints, and sensitive data exposure (no stack traces in responses). Document each mitigation with the corresponding OWASP category. Expected Deliverable A hardened Express API addressing at least five OWASP Top 10 API vulnerabilities, with documented mitigations and automated security tests.