API Security Checklist

  • Use HTTPS to protect sensitive data (authentication credentials, API Keys, etc.) in transit.
  • Authentication/Authorisation: Make sure the endpoints are protected with proper access levels.
  • GET methods are an easy target for attackers. So never perform an operation that changes the state of your application in a GET method.
  • Protect your API agains CSRF (Cross-Site Request Forgery) attacks.
  • Make sure your API is not vulnerable to XSS (Cross-Site Scripting) attacks.
  • Sign JWT (JSON Web Tokens) securely preferably using secrets.
  • Use API Keys for every request.
  • Treat Management Endpoints differently than normal ones, by enforcing stronger security policies (e.g. multi-factor authentication.
  • Handle exceptions decently so that technical error details are not exposed to clients.
  • Use SOP (Same-Origin Policy) and disable CORS if it’s not needed. When enabling CORS, be as specific as possible.
  • Do not put any sensitive information in the URL params as they can be logged by servers. Put them in the request header or body.
  • When setting cookies, use Secure and HttpOnly. Also restrict the scope of cookies.
  • Any input or data being imported may eventually end up in users’s browsers as part of an HTML page and you don’t want to send a malicious script to the them. Validating input and imported data is one of the ways to prevent clickjacking, XSS or stored CSRF flaws.
  • Any input or data being imported may also end up being inserted into your database, so make sure your application is protected against SQL Injection attacks.
  • Set response Content-Type header properly to mach the response MIME type and disable MIME type sniffing (nosniff).