API Security
Tooling
| Practice | Description |
|---|---|
| Auto Detect Issues | Using SonarQ to detect issues. |
| Using AI Tool | Using Windsuf to automate unit testing, documentation |
Authentication
| Practice | Description |
|---|---|
| Avoid Basic Auth | Use standards like JWT instead of Basic Authentication. |
| Use Existing Mechanisms | Don’t reinvent authentication, rely on proven methods. |
| Max Retry & Jail | Implement brute force protection on login. |
| Encrypt Sensitive Data | Always encrypt sensitive information. |
JWT (JSON Web Token)
| Practice | Description |
|---|---|
| Strong Secret | Use a good JWT Secret to prevent brute force attacks. |
| Verify Algorithm | Do not extract algorithm from header; validate in backend. |
| Token Expiry | Keep TTL/RTTL as short as possible. |
| No Sensitive Payload | Don’t store sensitive data inside JWT. |
| Small Payload | Keep payloads small to reduce token size. |
Access Control
| Practice | Description |
|---|---|
| Throttling | Limit requests to prevent DDoS and brute force attacks. |
| HTTPS & Ciphers | Use secure protocols and ciphers. |
| HSTS | Use HSTS headers to prevent SSL stripping. |
| Disable Directory Listing | Turn off directory browsing. |
| IP Whitelisting | Restrict private APIs to safe-listed IPs. |
| Validate Redirect URI | Always validate on server side. |
Avoid response_type=token | Prefer code exchange for security. |
Use state Parameter | Prevent CSRF attacks. |
| Scope Validation | Set and validate scopes per app. |
Input Validation
| Practice | Description |
|---|---|
| Proper HTTP Methods | Use appropriate methods (GET, POST, etc.). |
| Validate Content-Type | Check headers for correct content type. |
| Validate Input | Prevent common vulnerabilities. |
| Authorization Header | Use it for sensitive data. |
| Server-Side Encryption | Do not rely on client-side only. |
| API Gateway | Use for caching, rate limiting, and more. |
Processing
| Practice | Description |
|---|---|
| Auth on All Endpoints | Protect every endpoint. |
| Avoid Personal IDs | Don't expose user IDs in URLs. |
| Use UUIDs | Prefer UUIDs to auto-incremented IDs. |
| Disable XML Entity Parsing | Prevent XXE attacks. |
| Disable Entity Expansion | Applies to XML, YAML, etc. |
| Use CDN | Offload file uploads. |
| Avoid HTTP Blocking | Especially with large data. |
| Disable Debug in Prod | Ensure debug mode is off. |
| Non-Executable Stacks | Use when available. |
Output
| Practice | Description |
|---|---|
| X-Content-Type-Options | Use nosniff. |
| X-Frame-Options | Use deny. |
| Content-Security-Policy | Set default-src 'none'. |
| Remove Fingerprinting Headers | e.g., x-powered-by. |
| Force Content-Type | Explicitly set response type. |
| No Sensitive Data | Don’t expose credentials/tokens. |
| Proper Status Codes | Return correct HTTP status codes. |
|
Monitoring
| Practice | Description |
|---|---|
| Centralized Logging | Track across all services. |
| Full Request Monitoring | Watch requests, responses, errors. |
| Alerts | Use SMS, Slack, Email, Kibana, CloudWatch, etc. |
| No Sensitive Logs | Ensure logs don’t contain sensitive info. |
| IDS/IPS | Implement intrusion detection/prevention systems. |