API Security Hardening Checklist

Practical controls for public && internal APIs.

January 12, 2025 · 5089 views

Abstract security illustration

Identity & access

Enforce strong auth (OIDC/JWT); short-lived tokens + refresh; audience/issuer checks.
Fine-grained authz (RBAC/ABAC); deny-by-default; rate-limit per identity.

Input & data

Validate/normalize input; reject oversized bodies; JSON schema where possible.
Output encode; avoid reflecting raw user data; paginate results.
Store secrets in vault/KMS; rotate keys; never log secrets/tokens.

Transport & headers

TLS everywhere; HSTS; modern ciphers.
Security headers: Content-Security-Policy, X-Content-Type-Options=nosniff, X-Frame-Options=DENY, Referrer-Policy.

Abuse protection

Rate limit + burst control; CAPTCHA/step-up for sensitive actions.
Bot detection where relevant; geo/IP allow/deny for admin surfaces.

Observability

Structured audit logs with identity, action, resource, result; avoid PII spill.
Alerts on auth failures, unusual rate spikes, and 5xx anomalies.

Checklist

AuthZ enforced; least privilege.
Input validated; size limits set.
TLS + security headers applied.
Rate limits + abuse controls configured.
Secrets vaulted and rotated.