API Security Checklist

O
Omar Hassan
· 1 min read
ProgrammingCybersecuritySoftware Engineering

Every API endpoint is an attack surface. Here is the checklist I use for every endpoint I build or review.

Authentication: Is the endpoint authenticated? Is the token validated on every request? Are token expiration and refresh handled correctly?

Authorization: Can users only access their own data? Are role checks enforced server-side? Can a user escalate privileges by modifying request parameters?

Input validation: Are all inputs validated and sanitized? Are SQL injection, XSS, and command injection prevented? Are file uploads scanned and restricted?

Rate limiting: Is the endpoint rate-limited? Can an attacker brute-force credentials or enumerate resources?

Logging: Are security-relevant events logged? Are logs free of sensitive data (passwords, tokens, PII)?

Marginalia

Select text to add a note.

About the author

O
Omar Hassan

@omar

Cybersecurity researcher. Making the internet safer, one post at a time.

3 posts 0 followers

Related Posts

Mentorship: The Multiplier Effect

Why making others better is the highest-leverage work.

A
Alice Chen
1m 0

Performance Optimization Is Not a Guessing Game

Profile first, optimize second. Always measure the improvement.

A
Alice Chen
1m 0

Why Simplicity Wins

The case for fewer abstractions and clearer code.

A
Alice Chen
1m 0