APIs power modern applications but are frequent targets for attackers. Our security-focused developers at Softechinfra share essential security practices for protecting your APIs.
API Security Threats
⚠️ OWASP API Security Top 10
- Broken Object Level Authorization
- Broken Authentication
- Broken Object Property Level Authorization
- Unrestricted Resource Consumption
- Broken Function Level Authorization
Authentication
Best Practices
- Use Strong Authentication
- OAuth 2.0 / OpenID Connect
- JWT with proper validation
- Short token lifetimes
- Secure token storage
JWT Security
// Verify JWT properly
const verifyToken = (token: string) => {
return jwt.verify(token, process.env.JWT_SECRET, {
algorithms: ['HS256'], // Specify algorithm
issuer: 'your-app',
audience: 'your-api',
maxAge: '1h'
});
};API Keys
Authorization
Object-Level Authorization
// Always check resource ownership
app.get('/orders/:id', async (req, res) => {
const order = await Order.findById(req.params.id); // Check ownership
if (order.userId !== req.user.id) {
return res.status(403).json({ error: 'Forbidden' });
}
return res.json(order);
});
Function-Level Authorization
// Role-based access control
const requireAdmin = (req, res, next) => {
if (!req.user.roles.includes('admin')) {
return res.status(403).json({ error: 'Admin required' });
}
next();
};app.delete('/users/:id', requireAdmin, deleteUser);
Input Validation
Validate Everything
import { z } from 'zod';const CreateUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
age: z.number().int().positive().max(150)
});
app.post('/users', (req, res) => {
const result = CreateUserSchema.safeParse(req.body);
if (!result.success) {
return res.status(400).json({ errors: result.error.issues });
}
// Proceed with validated data
});
SQL Injection Prevention
// Use parameterized queries
const user = await db.query(
'SELECT * FROM users WHERE id = $1',
[userId]
);// Never string concatenation
// WRONG: 'SELECT * FROM users WHERE id = ' + userId
Rate Limiting
Implementation
import rateLimit from 'express-rate-limit';const limiter = rateLimit({
windowMs: 15 60 1000, // 15 minutes
max: 100, // 100 requests per window
message: { error: 'Too many requests' }
});
app.use('/api/', limiter);
Strategies
Transport Security
HTTPS Only
Headers
app.use((req, res, next) => {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('Content-Security-Policy', "default-src 'self'");
next();
});Error Handling
Secure Error Responses
// Don't expose internal details
app.use((err, req, res, next) => {
// Log full error internally
logger.error(err); // Return generic message
res.status(500).json({
error: 'Internal server error',
requestId: req.id
});
});
Logging and Monitoring
What to Log
Security Monitoring
API Gateway
Benefits
Options
Testing
Security Testing
Automated Checks
Conclusion
"API security requires defense in depth. Implement authentication, authorization, validation, and monitoring. Test regularly and stay current with security practices."— Rishikesh Baidya, Lead Developer
Security is essential for all our API development. We implement secure APIs for projects like Radiant Finance using these best practices. See our zero-trust security guide and data privacy compliance guide for more.
Need API Security Assessment?
Our team provides security audits, penetration testing, and secure API development with proper authentication, authorization, and monitoring.
Get Security Assessment →