API Security Checklist
I keep this checklist bookmarked. Every time I build or review an API, I run through it. Most security incidents I have seen came from missing one of thes...
14 Oct 2023

I keep this checklist bookmarked. Every time I build or review an API, I run through it. Most security incidents I have seen came from missing one of these basics, not from sophisticated attacks.
Authentication
- Never use basic auth over plain HTTP. HTTPS only.
- Send tokens in the
Authorizationheader, never in the URL. URLs get logged, cached, and shared. - Use standard auth mechanisms: JWT or OAuth 2.0. Do not invent your own.
- Make token expiration (TTL and refresh TTL) as short as your UX allows. Shorter tokens limit the blast radius of a leak.
- Use a long, random JWT secret. Short or predictable secrets make brute-force attacks trivial.
- Implement rate limiting and account lockout on login endpoints. Use exponential backoff or temporary jails after repeated failures.
Transport
- Reject all non-TLS requests. Do not respond to HTTP at all. Any response, even a redirect, risks leaking data in the initial plaintext request.
- Set security-related HTTP headers:
Strict-Transport-Security,X-Content-Type-Options,X-Frame-Options,Content-Security-Policy.
Input and output
- Validate all incoming data against a strict schema. Reject anything that does not conform. Do not try to fix malformed input.
- Convert received data to canonical form before processing. Normalize encoding, trim whitespace, enforce types.
- Validate
Content-Typeheaders. If you expect JSON, reject anything that is notapplication/json. - Serialize your JSON responses. Never return raw objects that might leak internal fields.
OAuth
- Validate
redirect_urion the server side. Only allow whitelisted URLs. Open redirects are a common OAuth attack vector. - Use the
stateparameter with a random hash to prevent CSRF on OAuth flows. Always validate it on the callback.
Infrastructure
- Use a CDN for file uploads. It offloads traffic, adds caching, and keeps upload endpoints away from your application servers.
- For heavy processing, use background workers and queues. Return a response fast. Process data asynchronously. Long-running HTTP requests are a denial-of-service risk.
- Turn off debug mode in production. Debug output leaks stack traces, environment variables, and internal paths. I have seen production APIs returning full stack traces with database credentials. It happens more often than you think.
The reality
No checklist makes an API secure by itself. Security is a practice, not a checkbox. But missing the basics is how most breaches happen. The sophisticated attacks get the headlines. The misconfigured CORS header or the leaked debug endpoint causes the actual damage.