API Security Checklist: 20 Things to Check Before Launch
API Security Checklist: 20 Things to Check Before Launch
API security failures expose customer data, enable account takeovers, and create financial liability. This checklist covers the essential security measures every API should have before going live, organized by the OWASP API Security Top 10.
Authentication & Authorization
1. ✅ Use HTTPS Everywhere
No exceptions. HTTP exposes credentials and data in transit. Redirect HTTP to HTTPS. Use HSTS headers. Minimum TLS 1.2 (prefer 1.3).
2. ✅ Authenticate Every Request
Every endpoint (except public health checks) must require authentication. No unauthenticated access to data endpoints.
3. ✅ Use Strong Authentication
- API keys for server-to-server
- OAuth 2.0 + PKCE for user-delegated access
- JWT with short expiration (15-60 minutes) + refresh tokens
- Never accept credentials in URL query parameters
4. ✅ Implement Authorization Checks
Authentication ≠ authorization. Verify the authenticated user has permission to access the specific resource. Check on every request, not just at the gateway.
User 123 requests GET /users/456/orders
→ Is user 123 allowed to see user 456's orders?
5. ✅ Prevent BOLA (Broken Object Level Authorization)
The #1 API vulnerability. Always verify the requesting user owns or has access to the requested object. Don't rely on obscure IDs for security.
Input Validation
6. ✅ Validate All Input
Validate type, length, format, and range for every field. Reject unexpected fields. Use allowlists, not blocklists.
7. ✅ Sanitize for Injection
SQL injection, NoSQL injection, command injection, LDAP injection. Use parameterized queries. Never concatenate user input into queries.
8. ✅ Limit Request Body Size
Set maximum body size (e.g., 1MB). Prevent memory exhaustion from oversized payloads.
9. ✅ Validate Content-Type
Only accept expected content types (application/json). Reject unexpected types.
10. ✅ Limit Array and Object Depth
Prevent deeply nested JSON from consuming parsing resources. Limit array lengths and object nesting depth.
Rate Limiting & Throttling
11. ✅ Rate Limit All Endpoints
Every endpoint needs rate limits. Expensive operations (search, AI, file processing) need lower limits than simple reads.
12. ✅ Rate Limit by Authenticated Identity
Rate limit by API key or user, not just by IP address. IP-based limits penalize legitimate users behind NAT and are trivially bypassed with proxies.
13. ✅ Return Proper 429 Responses
Include Retry-After header. Include RateLimit-Remaining header. Machine-readable error response.
Data Protection
14. ✅ Don't Expose Sensitive Data
Never return passwords, tokens, internal IDs, or sensitive PII in API responses unless specifically requested. Use field-level access control.
15. ✅ Mask Sensitive Data in Logs
Don't log API keys, passwords, tokens, credit card numbers, or PII. Mask or redact before logging.
16. ✅ Implement Response Filtering
Only return the fields the client needs. Don't expose internal database fields, metadata, or debug information in production responses.
Infrastructure
17. ✅ Set Security Headers
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Cache-Control: no-store (for sensitive data)
18. ✅ Implement CORS Properly
Don't use Access-Control-Allow-Origin: * for authenticated APIs. Allowlist specific origins.
19. ✅ Monitor and Alert
Log all authentication failures, authorization failures, and rate limit hits. Alert on anomalies — sudden spikes in 401s, unusual access patterns.
20. ✅ Prepare for Incidents
Have a plan for: API key compromise, data breach, DDoS attack. Know how to revoke keys, block IPs, and communicate with affected users.
Quick Reference: OWASP API Security Top 10
| # | Risk | Your Mitigation |
|---|---|---|
| 1 | Broken Object Level Authorization | Check ownership on every request |
| 2 | Broken Authentication | Strong auth, short-lived tokens |
| 3 | Broken Object Property Level Authorization | Field-level access control |
| 4 | Unrestricted Resource Consumption | Rate limiting, body size limits |
| 5 | Broken Function Level Authorization | Role-based access, admin endpoint protection |
| 6 | Unrestricted Access to Sensitive Business Flows | Abuse detection, business logic protection |
| 7 | Server-Side Request Forgery (SSRF) | URL validation, block internal IPs |
| 8 | Security Misconfiguration | Security headers, error handling, defaults |
| 9 | Improper Inventory Management | Track all API versions and endpoints |
| 10 | Unsafe Consumption of APIs | Validate data from third-party APIs |
Securing your API? Explore API security tools and best practices on APIScout — comparisons, guides, and developer resources.