100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

API Security Best Practices Cheat Sheet

API Security Best Practices Cheat Sheet

Authentication, authorization, input validation, and rate-limiting patterns to protect REST and GraphQL APIs in production.

3 PagesIntermediateFeb 4, 2026

Verify a JWT Before Trusting Claims

Always verify signature, issuer, audience, and expiry server-side.

javascript
import { jwtVerify, createRemoteJWKSet } from "jose";const JWKS = createRemoteJWKSet(new URL("https://auth.example.com/.well-known/jwks.json"));async function verifyToken(token) {  const { payload } = await jwtVerify(token, JWKS, {    issuer: "https://auth.example.com",    audience: "api.example.com",  });  return payload; // never trust claims from an unverified token}

Rate Limiting Middleware (Express)

Per-IP and per-key limits to blunt brute-force and scraping.

javascript
import rateLimit from "express-rate-limit";const apiLimiter = rateLimit({  windowMs: 60 * 1000, // 1 minute  max: 100,            // 100 requests per window per key  standardHeaders: true,  legacyHeaders: false,  keyGenerator: (req) => req.headers["x-api-key"] || req.ip,});app.use("/api/", apiLimiter);

Schema-Based Input Validation

Reject malformed/oversized payloads before they reach business logic.

typescript
import { z } from "zod";const CreateOrderSchema = z.object({  sku: z.string().max(64),  quantity: z.number().int().positive().max(1000),  notes: z.string().max(500).optional(),});app.post("/orders", (req, res) => {  const result = CreateOrderSchema.safeParse(req.body);  if (!result.success) {    return res.status(400).json({ error: result.error.flatten() });  }  // result.data is now typed and validated});

API Security Checklist

Baseline controls every production API should have.

  • TLS everywhere- reject plaintext HTTP, use HSTS on public endpoints
  • Least-privilege scopes- OAuth scopes/claims per endpoint, not one god-token
  • Object-level authz- verify the caller owns/can access the specific record ID (BOLA/IDOR)
  • Output filtering- never serialize internal-only fields (password hashes, internal IDs)
  • CORS allowlist- explicit origins, not `*`, especially with credentials
  • Security headers- CSP, X-Content-Type-Options, X-Frame-Options on any HTML responses
  • Audit logging- log auth failures and sensitive actions with request context
Pro Tip

Test for Broken Object Level Authorization (BOLA) explicitly — it's OWASP API Security's #1 risk year after year, and schema validation or a valid JWT will never catch it because the request is syntactically and even authentically valid, just for the wrong object.

Was this cheat sheet helpful?

Explore Topics

#APISecurityBestPractices#APISecurityBestPracticesCheatSheet#Cybersecurity#Intermediate#Verify#JWT#Before#Trusting#Security#APIs#CheatSheet#SkillVeris