Security Guide

API Security Best Practices

Protect your APIs from the OWASP API Top 10 and common attack patterns. Essential security practices for REST and GraphQL APIs.

Scan Your API

Quick Wins

Always use HTTPS for all endpoints
Implement rate limiting on all routes
Validate and sanitize all inputs
Use proper authentication (OAuth/JWT)
Check authorization on every request
Return minimal error information
Log all authentication events
Version your API endpoints

OWASP API Security Top 10

API1

Broken Object Level Authorization

APIs expose endpoints handling object IDs without proper authorization checks

Prevention: Implement proper authorization checks for every object access. Verify user ownership before returning data.

API2

Broken Authentication

Weak authentication mechanisms allow attackers to compromise tokens or exploit implementation flaws

Prevention: Use standard auth protocols (OAuth 2.0), enforce strong passwords, implement MFA, secure token storage.

API3

Broken Object Property Level Authorization

Exposing sensitive object properties or allowing mass assignment

Prevention: Define explicit allowlists for returnable/writable properties. Never expose internal properties.

API4

Unrestricted Resource Consumption

No limits on API calls, file uploads, or query complexity leads to DoS

Prevention: Implement rate limiting, pagination, timeouts, and resource quotas on all endpoints.

API5

Broken Function Level Authorization

Missing authorization checks on admin functions or sensitive operations

Prevention: Implement consistent authorization at function level. Default deny for admin endpoints.

Authentication Best Practices

JWT Token Security

Don't
// Storing secrets in JWT
{ "userId": 123, "apiKey": "sk_live_xxx" }

// No expiration
jwt.sign(payload, secret)

// Using alg: none
jwt.sign(payload, '', { algorithm: 'none' })
Do
// Minimal claims
{ "sub": "user_123", "exp": 1234567890 }

// Short expiration + refresh tokens
jwt.sign(payload, secret, {
  algorithm: 'RS256',
  expiresIn: '15m'
})

API Key Security

  • Generate cryptographically secure random keys (256+ bits)
  • Store hashed keys, not plaintext (compare hashes on auth)
  • Support key rotation without breaking clients
  • Implement scoped keys with minimal permissions
  • Log key usage for audit trails

Input Validation

Schema Validation

// Using Zod for type-safe validation
import { z } from 'zod';

const createUserSchema = z.object({
  email: z.string().email(),
  name: z.string().min(2).max(100),
  age: z.number().int().min(13).max(120).optional(),
});

// In your API handler
const result = createUserSchema.safeParse(req.body);
if (!result.success) {
  return res.status(400).json({ error: 'Invalid input' });
}

Common Validation Rules

  • Validate data types strictly
  • Enforce string length limits
  • Sanitize special characters
  • Reject unexpected fields
  • Validate URL parameters
  • Check content-type headers

Rate Limiting & Throttling

Implement rate limiting to prevent abuse, brute force attacks, and DoS:

Endpoint TypeSuggested LimitReason
Login / Auth5/min per IPPrevent brute force
Password Reset3/hour per emailPrevent enumeration
General API100/min per userFair usage
Search / Heavy20/min per userResource protection

Return 429 Too Many Requests with Retry-After header when limits are exceeded.

Frequently Asked Questions

Should I use API keys or OAuth for authentication?

Use OAuth 2.0 for user-facing applications and API keys for server-to-server communication. For public APIs, consider supporting both with appropriate scoping.

How do I handle authorization for different user roles?

Implement role-based (RBAC) or attribute-based (ABAC) access control. Check permissions at both route and object level. Never rely solely on frontend hiding features.

Is GraphQL more secure than REST?

Neither is inherently more secure. GraphQL has unique concerns (query depth, batching attacks) while REST has its own (IDOR, verb tampering). Both require proper authentication, authorization, and input validation.

How should I handle API versioning for security patches?

Use URL or header versioning. When patching security issues, backport to all supported versions. Have a clear deprecation policy that encourages upgrades.

Scan Your API for Vulnerabilities

Find authentication bypasses, authorization issues, and input validation problems in your API.

Scan Your API Free

Related Resources

What is DAST?Startup Security ChecklistSupabase Security Guide

Last updated: January 2025