Security

API Security Checklist

I keep this checklist bookmarked. Every time I build or review an API, I run through it. Most security incidents I have seen came from missing one of thes...

14 Oct 2023

API Security Checklist

I keep this checklist bookmarked. Every time I build or review an API, I run through it. Most security incidents I have seen came from missing one of these basics, not from sophisticated attacks.

Authentication

  • Never use basic auth over plain HTTP. HTTPS only.
  • Send tokens in the Authorization header, never in the URL. URLs get logged, cached, and shared.
  • Use standard auth mechanisms: JWT or OAuth 2.0. Do not invent your own.
  • Make token expiration (TTL and refresh TTL) as short as your UX allows. Shorter tokens limit the blast radius of a leak.
  • Use a long, random JWT secret. Short or predictable secrets make brute-force attacks trivial.
  • Implement rate limiting and account lockout on login endpoints. Use exponential backoff or temporary jails after repeated failures.

Transport

  • Reject all non-TLS requests. Do not respond to HTTP at all. Any response, even a redirect, risks leaking data in the initial plaintext request.
  • Set security-related HTTP headers: Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Content-Security-Policy.

Input and output

  • Validate all incoming data against a strict schema. Reject anything that does not conform. Do not try to fix malformed input.
  • Convert received data to canonical form before processing. Normalize encoding, trim whitespace, enforce types.
  • Validate Content-Type headers. If you expect JSON, reject anything that is not application/json.
  • Serialize your JSON responses. Never return raw objects that might leak internal fields.

OAuth

  • Validate redirect_uri on the server side. Only allow whitelisted URLs. Open redirects are a common OAuth attack vector.
  • Use the state parameter with a random hash to prevent CSRF on OAuth flows. Always validate it on the callback.

Infrastructure

  • Use a CDN for file uploads. It offloads traffic, adds caching, and keeps upload endpoints away from your application servers.
  • For heavy processing, use background workers and queues. Return a response fast. Process data asynchronously. Long-running HTTP requests are a denial-of-service risk.
  • Turn off debug mode in production. Debug output leaks stack traces, environment variables, and internal paths. I have seen production APIs returning full stack traces with database credentials. It happens more often than you think.

The reality

No checklist makes an API secure by itself. Security is a practice, not a checkbox. But missing the basics is how most breaches happen. The sophisticated attacks get the headlines. The misconfigured CORS header or the leaked debug endpoint causes the actual damage.