7Tech – Programming and Tech Tutorials

API Security Checklist: 10 Essential Practices Every Developer Must Follow

Written by

Ankur Sharma

in

APIs are the backbone of modern applications and the primary target for attackers. Follow this comprehensive security checklist to protect your APIs.

1. Always Use HTTPS

Never expose APIs over plain HTTP. Use TLS 1.3 for all communications.

# Nginx configuration
server {
    listen 443 ssl http2;
    ssl_protocols TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
}

2. Implement Proper Authentication

// JWT validation middleware
import jwt from "jsonwebtoken";

function authenticate(req, res, next) {
  const token = req.headers.authorization?.split(" ")[1];
  if (!token) return res.status(401).json({ error: "Token required" });

  try {
    req.user = jwt.verify(token, process.env.JWT_SECRET, {
      algorithms: ["RS256"],
      issuer: "your-app"
    });
    next();
  } catch (err) {
    res.status(401).json({ error: "Invalid token" });
  }
}

3. Rate Limiting

import rateLimit from "express-rate-limit";

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  standardHeaders: true,
  message: { error: "Too many requests" }
});
app.use("/api/", limiter);

4. Input Validation

import { z } from "zod";

const UserSchema = z.object({
  email: z.string().email(),
  name: z.string().min(2).max(100),
  age: z.number().int().min(13).max(120)
});

// Validate before processing
const result = UserSchema.safeParse(req.body);
if (!result.success) return res.status(400).json(result.error);

5. SQL Injection Prevention

Always use parameterized queries:

# Python - use parameterized queries
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

# Never do this:
# cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

6. Implement CORS Properly

app.use(cors({
  origin: ["https://yourdomain.com"],
  methods: ["GET", "POST", "PUT", "DELETE"],
  credentials: true
}));

7. Use API Keys with Scopes

8. Log and Monitor

9. Version Your API

10. Security Headers

import helmet from "helmet";
app.use(helmet());
// Adds: X-Content-Type-Options, X-Frame-Options,
// Strict-Transport-Security, etc.

Quick Reference Checklist

  • ☑ HTTPS everywhere
  • ☑ JWT or OAuth 2.0 authentication
  • ☑ Rate limiting on all endpoints
  • ☑ Input validation with schema libraries
  • ☑ Parameterized database queries
  • ☑ Restrictive CORS policy
  • ☑ API key rotation and scoping
  • ☑ Centralized logging and alerting
  • ☑ API versioning strategy
  • ☑ Security headers via Helmet

Conclusion

API security is not optional. Implement these practices from day one and conduct regular security audits. A single vulnerability can compromise your entire system.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Policy · Contact · Sitemap

© 7Tech – Programming and Tech Tutorials