API Input Security (SQLi + XSS Protection)