API Security Best Practices Cheat Sheet
Authentication, authorization, input validation, and rate-limiting patterns to protect REST and GraphQL APIs in production.
3 PagesIntermediateFeb 4, 2026
Verify a JWT Before Trusting Claims
Always verify signature, issuer, audience, and expiry server-side.
javascript
import { jwtVerify, createRemoteJWKSet } from "jose";const JWKS = createRemoteJWKSet(new URL("https://auth.example.com/.well-known/jwks.json"));async function verifyToken(token) { const { payload } = await jwtVerify(token, JWKS, { issuer: "https://auth.example.com", audience: "api.example.com", }); return payload; // never trust claims from an unverified token}
Rate Limiting Middleware (Express)
Per-IP and per-key limits to blunt brute-force and scraping.
javascript
import rateLimit from "express-rate-limit";const apiLimiter = rateLimit({ windowMs: 60 * 1000, // 1 minute max: 100, // 100 requests per window per key standardHeaders: true, legacyHeaders: false, keyGenerator: (req) => req.headers["x-api-key"] || req.ip,});app.use("/api/", apiLimiter);
Schema-Based Input Validation
Reject malformed/oversized payloads before they reach business logic.
typescript
import { z } from "zod";const CreateOrderSchema = z.object({ sku: z.string().max(64), quantity: z.number().int().positive().max(1000), notes: z.string().max(500).optional(),});app.post("/orders", (req, res) => { const result = CreateOrderSchema.safeParse(req.body); if (!result.success) { return res.status(400).json({ error: result.error.flatten() }); } // result.data is now typed and validated});
API Security Checklist
Baseline controls every production API should have.
- TLS everywhere- reject plaintext HTTP, use HSTS on public endpoints
- Least-privilege scopes- OAuth scopes/claims per endpoint, not one god-token
- Object-level authz- verify the caller owns/can access the specific record ID (BOLA/IDOR)
- Output filtering- never serialize internal-only fields (password hashes, internal IDs)
- CORS allowlist- explicit origins, not `*`, especially with credentials
- Security headers- CSP, X-Content-Type-Options, X-Frame-Options on any HTML responses
- Audit logging- log auth failures and sensitive actions with request context
Pro Tip
Test for Broken Object Level Authorization (BOLA) explicitly — it's OWASP API Security's #1 risk year after year, and schema validation or a valid JWT will never catch it because the request is syntactically and even authentically valid, just for the wrong object.
Was this cheat sheet helpful?
Explore Topics
#APISecurityBestPractices#APISecurityBestPracticesCheatSheet#Cybersecurity#Intermediate#Verify#JWT#Before#Trusting#Security#APIs#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance