API Security: Protecting the Backbone of Modern Applications

Why API Security Matters

APIs have become the primary attack surface for modern applications. Unlike traditional web applications, APIs are designed to be accessed programmatically, making them simultaneously more powerful and more dangerous. A single misconfigured endpoint can expose millions of user records or grant unauthorised administrative access.

OWASP API Security Top 10

API1 — Broken Object Level Authorization (BOLA)

BOLA, also known as IDOR, is the most prevalent API vulnerability. It occurs when an API endpoint receives an object ID and fails to validate whether the requesting user has permission to access that specific object. Attackers simply enumerate IDs to access other users data.

GET /api/invoices/1337  ← attacker changes ID to access other invoices

Fix: Validate every object-level access, never rely on obscurity, use UUIDs instead of sequential integers, and implement object-level authorisation checks in every function.

API2 — Broken Authentication

Authentication mechanisms are often implemented incorrectly. Issues include accepting weak passwords, missing brute-force protection, sensitive credentials in URLs, JWT tokens with algorithm confusion (none algorithm attacks), and long-lived tokens without rotation.

Fix: Implement MFA, use short-lived tokens with refresh, validate JWT algorithms strictly, never put tokens in query strings.

API3 — Broken Object Property Level Authorization

APIs often expose more object properties than required. Attackers can exploit this by reading sensitive properties (excessive data exposure) or by mass-assigning properties the user should not control — for example, setting isAdmin: true in a profile update request.

API4 — Unrestricted Resource Consumption

APIs that lack rate limiting, request size limits, or execution timeouts are vulnerable to denial-of-service attacks and resource exhaustion. A single attacker can trigger expensive operations repeatedly.

Fix: Rate limit by user, IP, and endpoint. Set maximum payload sizes. Implement execution timeouts. Monitor resource consumption.

API5 — Broken Function Level Authorization

Administrative functions are often accessible to regular users when proper checks are missing. Attackers discover hidden admin endpoints by guessing or reading client-side code, then call them directly.

Authentication Best Practices

Use OAuth 2.0 with PKCE for third-party authorisation. Prefer short-lived JWTs (15 minutes) with opaque refresh tokens stored in httpOnly cookies. Validate every claim — issuer, audience, expiry, and algorithm. Never use the none algorithm.

Transport Security

Enforce TLS 1.2+ for all API traffic. Use certificate pinning in mobile clients. Implement HSTS. Never allow mixed content. Reject self-signed certificates in production clients.

Input Validation

Validate every incoming field: type, format, length, and range. Use schema validation (JSON Schema, Zod, Joi). Reject unknown fields — do not silently ignore them. Validate Content-Type headers and reject mismatches.

API Versioning and Deprecation

Old API versions are a common attack vector — they often lack security controls added in newer versions. Maintain a clear versioning strategy, deprecate old versions on a public schedule, and monitor usage of deprecated endpoints before removal.

Security Headers for APIs

Even JSON APIs should return security headers: Content-Type: application/json (prevents MIME sniffing), X-Content-Type-Options: nosniff, Cache-Control: no-store for sensitive responses, and appropriate CORS policies that restrict origins to known clients.

Conclusion

API security requires a layered defence: strong authentication, fine-grained authorisation, input validation, rate limiting, and continuous monitoring. The attack surface is vast and evolves quickly — regular threat modelling and penetration testing of API endpoints is essential for any production system.