🔐 API Security12 min read

API Security Best Practices 2025: Protect Your REST & GraphQL APIs

83% of web traffic is now API calls. Learn how to secure your APIs from injection attacks, broken authentication, and data exposure.

🎯 OWASP API Security Top 10 (2023 Edition - Still Relevant 2025)

1. Broken Object Level Authorization (BOLA)

The Problem: API returns data for ANY ID, not just authorized user's data

Example: GET /api/users/123/orders returns orders even if you're user 456

Fix: Always validate user owns requested resource

2. Broken Authentication

The Problem: Weak JWT, exposed API keys, missing rate limiting

Fix: Use OAuth 2.0, rotate keys, implement MFA

3. Excessive Data Exposure

The Problem: API returns full user object including sensitive fields

Fix: Return only necessary fields, use DTOs (Data Transfer Objects)

🔒 API Authentication Methods (Ranked)

1. OAuth 2.0 + OpenID Connect (BEST for User APIs)

  • Use Case: Third-party access, user-facing APIs
  • Pros: Industry standard, revocable tokens, granular scopes
  • Cons: Complex implementation
  • Tools: Auth0, Okta, Keycloak

2. JWT (JSON Web Tokens)

  • Use Case: Stateless authentication, microservices
  • Pros: No database lookup, self-contained
  • Cons: Cannot revoke until expiry
  • Best Practice: Short expiry (15 min), refresh tokens

3. API Keys

  • Use Case: Server-to-server, read-only public APIs
  • Pros: Simple implementation
  • Cons: Easily leaked, hard to rotate
  • Best Practice: Rotate quarterly, use separate keys per environment

🛡️ Essential API Security Headers

# CORS - Restrict origins
Access-Control-Allow-Origin: https://yourdomain.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type

# Rate Limiting
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 75
X-RateLimit-Reset: 1698765432

# Security Headers
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'

🚀 API Rate Limiting Strategies

1. Fixed Window

Rule: 100 requests per minute, resets at :00 seconds

Pros: Simple to implement

Cons: Burst attacks at window boundaries

2. Sliding Window (RECOMMENDED)

Rule: 100 requests per rolling 60-second window

Pros: Smooths out bursts

Tools: Redis + sliding-window-counter

3. Token Bucket

Rule: Bucket holds 100 tokens, refills at 10/sec

Pros: Allows controlled bursts

Best for: APIs with occasional high load

🔐 Input Validation Checklist

  • ✅ Validate data TYPE (string, int, email, UUID)
  • ✅ Validate data LENGTH (max 255 chars for names)
  • ✅ Validate data RANGE (age 0-120, quantity 1-999)
  • ✅ Sanitize HTML/SQL special characters
  • ✅ Use parameterized queries (prevent SQL injection)
  • ✅ Validate JSON schema with Joi, Yup, or Zod

🔗 Essential Tools

🎯 Key Takeaway

APIs are the new attack surface. Implement defense in depth: authentication, authorization, input validation, rate limiting, and monitoring. Test with tools like Postman, Burp Suite, and OWASP ZAP. Remember: Security is not a feature, it's a requirement.

📢
Advertisement Space
Ad will appear here

💝 Your support helps us maintain these free security tools and add new features.

Every coffee makes a difference in keeping cybersecurity accessible to everyone.