VaarakVaarak
Back to BlogCybersecurity

API Security: The Complete Checklist for Production APIs

From authentication to rate limiting to input validation — every security measure your API needs before going to production.

Lisa Patel Nov 25, 2025 9 min read
API Security Authentication OWASP Rate Limiting
API Security: The Complete Checklist for Production APIs

APIs are the most common attack vector for modern applications. Every exposed endpoint is a potential entry point for attackers. After conducting security audits on 100+ APIs, we've compiled this checklist covering the security controls that every production API must implement. This isn't theoretical — each item addresses vulnerabilities we've found in real client assessments.

Security code and encryption
API security is not a feature you add later — it's a foundation you build on from the start

Authentication and Authorization

  • Use industry-standard protocols (OAuth 2.0, OpenID Connect). Never roll your own auth.
  • Implement API key rotation with overlapping validity periods for zero-downtime key changes.
  • Use short-lived JWTs (15 min) with refresh tokens. Never store long-lived secrets in client-side storage.
  • Apply the principle of least privilege: every API key and token should have the minimum permissions needed.
  • Validate JWTs on every request: check signature, expiration, issuer, audience, and scopes.

Input Validation and Injection Prevention

middleware/validate.ts
import { z } from 'zod';

// Define strict schemas for every endpoint
const createUserSchema = z.object({
  email: z.string().email().max(254),
  name: z.string().min(1).max(100).regex(/^[a-zA-Z\s'-]+$/),
  role: z.enum(["user", "admin"]),
  // Reject unexpected fields
}).strict();

// Middleware: validate request body against schema
export function validate<T>(schema: z.ZodSchema<T>) {
  return (req: Request, res: Response, next: NextFunction) => {
    const result = schema.safeParse(req.body);
    if (!result.success) {
      return res.status(400).json({
        error: "Validation failed",
        details: result.error.flatten(),
      });
    }
    req.validatedBody = result.data;
    next();
  };
}

Rate Limiting and Abuse Prevention

Every public API endpoint needs rate limiting. Without it, a single client can overwhelm your servers or brute-force authentication endpoints. Implement tiered rate limits: per-IP for unauthenticated requests, per-user for authenticated requests, and per-endpoint for sensitive operations (login, password reset, payment).

Transport Security

  • HTTPS everywhere — redirect all HTTP to HTTPS with HSTS headers
  • TLS 1.3 minimum — disable TLS 1.0 and 1.1
  • Certificate pinning for mobile apps communicating with your API
  • CORS headers configured to allow only your known client origins, never wildcard (*) for authenticated endpoints

Logging and Monitoring

Log every authentication attempt (success and failure), every authorization decision, and every input validation failure. These logs are your forensic trail after an incident. Monitor for anomalies: sudden spikes in failed auth attempts, unusual geographic access patterns, and API usage patterns that don't match normal behavior.

Never log sensitive data: passwords, API keys, credit card numbers, personal health information. Use structured logging with explicit field allowlists, not object dumps that might accidentally include secrets.

API security is not a one-time audit — it's an ongoing practice. Run automated security scans in your CI/CD pipeline, conduct penetration tests quarterly, and treat every vulnerability report as a priority. The cost of a security breach always exceeds the cost of prevention.

L

Lisa Patel

Security Engineering Lead