A concise, actionable checklist of API security best practices to help developers and engineers build robust, resilient, and secure APIs.
1. Always use HTTPS/TLS for all API communication
Enforce TLS 1.2 or higher on every endpoint and redirect HTTP requests to HTTPS. This prevents man-in-the-middle attacks and eavesdropping on sensitive data in transit.
2. Implement strong authentication with OAuth 2.0 or OpenID Connect
Use industry-standard protocols like OAuth 2.0 with short-lived access tokens and refresh-token rotation. Avoid rolling your own auth schemes, which are prone to subtle but critical vulnerabilities.
3. Validate and sanitize all incoming input
Reject requests with unexpected data types, lengths, or characters at the API gateway or request handler level. Never trust client-supplied data; validate against a strict schema (e.g., JSON Schema or OpenAPI spec) to prevent injection attacks.
4. Apply rate limiting and throttling on every endpoint
Enforce per-client and per-IP request limits to prevent brute-force, credential stuffing, and denial-of-service attacks. Return HTTP 429 with a Retry-After header when limits are exceeded.
5. Use least-privilege scopes and role-based access control (RBAC)
Assign tokens only the minimum scopes required for the operation, and enforce authorization checks server-side on every request. Never rely solely on client-side filtering or UI hiding of sensitive endpoints.
6. Never expose sensitive data in API responses
Audit response payloads and strip fields such as passwords, internal IDs, PII, and stack traces before sending to clients. Use explicit allow-lists of returnable fields rather than serializing entire model objects.
7. Return generic error messages and log details server-side
Avoid leaking implementation details, stack traces, or database errors to the caller. Log the full error server-side with a correlation ID so engineers can debug without exposing attack surface.
8. Set security-relevant HTTP response headers
Include headers such as Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy. These headers mitigate a range of client-side attacks including clickjacking and MIME sniffing.
9. Rotate and securely store API keys and secrets
Store secrets in a dedicated vault (e.g., HashiCorp Vault, AWS Secrets Manager) and never hard-code them in source code or environment files committed to version control. Rotate keys on a regular schedule and immediately upon suspected compromise.
10. Implement and test JWT validation rigorously
Always verify the token signature using a strong algorithm (RS256 or ES256), validate expiry (exp), issuer (iss), and audience (aud) claims. Explicitly reject tokens with the 'none' algorithm to prevent algorithm-confusion attacks.
11. Log and monitor all API activity with anomaly alerting
Capture structured logs with timestamps, client IDs, endpoint, HTTP method, status codes, and latency. Feed logs into a SIEM or monitoring platform and set alerts for unusual patterns such as mass 401s, unexpected endpoint access, or data exfiltration spikes.
12. Version your API and deprecate old versions promptly
Use explicit versioning (e.g., /v1/, /v2/) so that security patches and breaking changes can be deployed without disrupting clients. Retire and sunset deprecated versions on a published schedule to eliminate unpatched attack surface.
13. Perform regular security testing including DAST and penetration testing
Integrate automated dynamic analysis (e.g., OWASP ZAP, Burp Suite) into your CI/CD pipeline and schedule periodic manual penetration tests. Address OWASP API Security Top 10 vulnerabilities such as Broken Object Level Authorization (BOLA) and Excessive Data Exposure.
14. Use an API gateway to centralize security controls
Route all traffic through a managed API gateway (e.g., Kong, AWS API Gateway, Apigee) to enforce authentication, rate limiting, IP allowlisting, and TLS termination in one place. This reduces the risk of individual services misconfiguring their own security controls.