Checklist of the most important security countermeasures when designing, testing, and releasing your API
繁中版 | 简中版 | العربية | Azərbaycan | বাংলা | Català | Čeština | Deutsch | Ελληνικά | Español | فارسی | Français | हिंदी | Indonesia | Italiano | 日本語 | 한국어 | ພາສາລາວ | Македонски | മലയാളം | Монгол | Nederlands | Polski | Português (Brasil) | Русский | ไทย | Türkçe | Українська | Tiếng Việt
Checklist of the most important security countermeasures when designing, testing, and releasing your API.
Basic Auth
. Use standard authentication instead (e.g., JWT).Authentication
, token generation
, password storage
. Use the standards.Max Retry
and jail features in Login.JWT Secret
) to make brute forcing the token very hard.HS256
or RS256
).TTL
, RTTL
) as short as possible.HSTS
header with SSL to avoid SSL Strip attacks.redirect_uri
server-side to allow only safelisted URLs.response_type=token
).state
parameter with a random hash to prevent CSRF on the OAuth authorization process.GET (read)
, POST (create)
, PUT/PATCH (replace/update)
, and DELETE (to delete a record)
, and respond with 405 Method Not Allowed
if the requested method isn't appropriate for the requested resource.content-type
on request Accept header (Content Negotiation) to allow only your supported format (e.g., application/xml
, application/json
, etc.) and respond with 406 Not Acceptable
response if not matched.content-type
of posted data as you accept (e.g., application/x-www-form-urlencoded
, multipart/form-data
, application/json
, etc.).XSS
, SQL-Injection
, Remote Code Execution
, etc.).credentials
, Passwords
, security tokens
, or API keys
) in the URL, but use standard Authorization header.Quota
, Spike Arrest
, or Concurrent Rate Limit
) and deploy APIs resources dynamically./me/orders
instead of /user/654321/orders
.UUID
instead.XXE
(XML external entity attack).Billion Laughs/XML bomb
via exponential entity expansion attack.X-Content-Type-Options: nosniff
header.X-Frame-Options: deny
header.Content-Security-Policy: default-src 'none'
header.X-Powered-By
, Server
, X-AspNet-Version
, etc.content-type
for your response. If you return application/json
, then your content-type
response is application/json
.credentials
, passwords
, or security tokens
.200 OK
, 400 Bad Request
, 401 Unauthorized
, 405 Method Not Allowed
, etc.).Feel free to contribute by forking this repository, making some changes, and submitting pull requests. For any questions drop us an email at [email protected]
.