Comprehensive security checklist for API development
Verify user identity and manage credentials securely
• Use OAuth 2.0 for third-party integrations • Implement JWT with short expiration times • Use refresh tokens for long-lived sessions
• Use TOTP (Time-based One-Time Password) • Support SMS or email verification • Implement WebAuthn for hardware keys
• Use Authorization header for tokens • Avoid query parameters for passwords • Log URLs without sensitive data
• Minimum 12 characters • Use bcrypt, scrypt, or Argon2 for hashing • Check against breached password databases
• Set appropriate session timeouts • Implement token revocation endpoint • Clear sessions on logout
Control access to resources and operations
• Use roles like admin, user, guest • Check permissions on every request • Implement least privilege principle
• Verify user permissions in middleware • Check resource ownership • Validate against session data
• Check if user owns the resource • Use UUIDs instead of sequential IDs • Validate resource access permissions
• Different limits for authenticated users • Stricter limits for sensitive endpoints • Monitor and adjust limits based on usage
Validate and sanitize all input data
• Use Joi, Zod, or Yup for validation • Validate data types, formats, ranges • Reject invalid requests early
• Use parameterized queries • Escape special characters • Use ORM frameworks
• Reject unexpected content types • Validate JSON structure • Limit file upload types
• Set max body size limits • Limit file upload sizes • Implement request timeouts
Protect data in transit and at rest
• Use TLS 1.2 or higher • Implement HSTS headers • Use valid SSL certificates
• Encrypt PII and passwords • Use AES-256 for encryption • Manage encryption keys securely
• No HTTP for sensitive data • Disable SSLv3, TLS 1.0, TLS 1.1 • Use perfect forward secrecy
Design APIs with security in mind
• GET for reading (idempotent) • POST for creating • PUT/PATCH for updating • DELETE for removing
• Use generic error messages • Log detailed errors server-side • Don't expose stack traces
• Use URL versioning (/v1/, /v2/) • Or header-based versioning • Deprecate old versions properly
• Whitelist specific origins • Don't use wildcard (*) in production • Validate Origin header
• Content-Security-Policy • X-Content-Type-Options: nosniff • X-Frame-Options: DENY
Track and monitor API usage and security events
• Failed login attempts • Authorization failures • Rate limit violations
• Mask passwords in logs • Redact credit card numbers • Hash or omit tokens
• Alert on unusual patterns • Track error rates • Monitor performance metrics
• Log data modifications • Track admin actions • Record access to sensitive data
Secure your dependencies and infrastructure
• Use npm audit or Snyk • Enable Dependabot • Review security advisories
• Use .env files (not in git) • Use secret management tools • Rotate secrets regularly
• SAST (Static Analysis) • DAST (Dynamic Analysis) • Container scanning
Test security and document properly
• Manual penetration testing • Automated security scans • Bug bounty programs
• Authentication flow • Authorization rules • Rate limiting policies
• Invalid input handling • Large payload handling • Concurrent requests
Help others discover this tool!
