- Use HTTPS to protect sensitive data (authentication credentials, API Keys, etc.) in transit.
- Authentication/Authorisation: Make sure the endpoints are protected with proper access levels.
- GET methods are an easy target for attackers. So never perform an operation that changes the state of your application in a GET method.
- Protect your API agains CSRF (Cross-Site Request Forgery) attacks.
- Make sure your API is not vulnerable to XSS (Cross-Site Scripting) attacks.
- Sign JWT (JSON Web Tokens) securely preferably using secrets.
- Use API Keys for every request.
- Treat Management Endpoints differently than normal ones, by enforcing stronger security policies (e.g. multi-factor authentication.
- Handle exceptions decently so that technical error details are not exposed to clients.
- Use SOP (Same-Origin Policy) and disable CORS if it’s not needed. When enabling CORS, be as specific as possible.
- Do not put any sensitive information in the URL params as they can be logged by servers. Put them in the request header or body.
- When setting cookies, use Secure and HttpOnly. Also restrict the scope of cookies.
- Any input or data being imported may eventually end up in users’s browsers as part of an HTML page and you don’t want to send a malicious script to the them. Validating input and imported data is one of the ways to prevent clickjacking, XSS or stored CSRF flaws.
- Any input or data being imported may also end up being inserted into your database, so make sure your application is protected against SQL Injection attacks.
- Set response Content-Type header properly to mach the response MIME type and disable MIME type sniffing (nosniff).
API Security Checklist