← Back to blog
·10 min read

How to Secure Your API Endpoints: A Developer's Checklist

Complete API security checklist for developers: authentication, authorization, rate limiting, input validation, TLS, logging, and more. With code examples for Node.js and common frameworks.

api-securitysecuritynodejschecklist

APIs Are the New Attack Surface

Every mobile app, SPA, and microservice communicates via APIs. They're everywhere — and they're consistently under-secured compared to traditional web frontends.

The OWASP API Security Top 10 exists for a reason. API vulnerabilities are responsible for a disproportionate share of high-severity breaches. This checklist covers everything you need to lock down your endpoints.

1. Authentication

Every endpoint needs authentication (unless intentionally public). Most API breaches start with missing or broken auth.

Use industry standards:

  • JWT (JSON Web Tokens): Short-lived access tokens + longer-lived refresh tokens
  • OAuth 2.0: For third-party delegation
  • API Keys: For machine-to-machine, with scoping and rotation

    • JWT validation checklist:

  • Verify signature with a secure secret (RS256 preferred over HS256 for distributed systems)
  • Check `exp` (expiry) and `nbf` (not before) claims
  • Validate `aud` (audience) to prevent token reuse across services
  • Reject `none` algorithm — attackers can strip signatures

    • 2. Authorization — Don't Confuse with Authentication

    Authentication confirms *who* the user is. Authorization confirms *what* they're allowed to do.

    BOLA (Broken Object Level Authorization) is the #1 API vulnerability. Always verify that the authenticated user owns or has permission to access the resource they're requesting.

    Rule: Never trust a resource identifier (ID) from the request without verifying the authenticated user has access to it.

    3. Rate Limiting

    Without rate limiting, your API is vulnerable to brute force, credential stuffing, enumeration attacks, and DoS from runaway clients.

    Limits to implement:

  • Login endpoint: 10 attempts per 15 minutes per IP
  • Password reset: 3 requests per hour per user
  • General API: 100 requests per minute per authenticated user
  • Unauthenticated: 20 requests per minute per IP

    • Add exponential backoff for repeated failures. Consider IP-based and user-based limits separately.

    4. Input Validation and Sanitization

    Never trust user input. Validate everything — shape, type, length, and content.

    Validation rules:

  • Reject unexpected fields (prevent mass assignment)
  • Validate file uploads: type, size, extension, and content via magic bytes
  • Sanitize HTML content server-side
  • Never pass user input directly to shell commands, SQL queries, or eval
  • Use a schema validation library (Zod, Joi, Yup) on every endpoint

    • 5. HTTPS Everywhere + HSTS

    All API traffic must be encrypted. HTTP is not acceptable for any endpoint that handles credentials or sensitive data.

    TLS configuration checklist:

  • Use TLS 1.2 minimum, prefer TLS 1.3
  • Disable weak cipher suites (RC4, DES, 3DES, export ciphers)
  • Use HSTS with `max-age=31536000; includeSubDomains`
  • Never disable certificate verification in production code

    • 6. CORS Configuration

    Misconfigured CORS allows malicious websites to make authenticated requests to your API on behalf of logged-in users.

    Rules:

  • Never combine `credentials: true` with `origin: '*'`
  • Use an explicit allowlist of trusted origins
  • Restrict allowed HTTP methods
  • Don't reflect the `Origin` header without validation

    • 7. Sensitive Data Exposure

    APIs often return more data than the client needs. Over-fetching exposes fields that should never leave the server.

    Field-level checklist:

  • Never return password hashes, even encrypted
  • Remove internal IDs and foreign keys from public responses
  • Audit GraphQL schemas — introspection reveals your entire data model
  • Use separate DTOs (Data Transfer Objects) for API responses
  • Disable GraphQL introspection in production

    • 8. Error Handling

    Verbose errors are a gift to attackers. Stack traces reveal file paths, library versions, database schemas, and internal architecture.

    Rule: Log the full error server-side. Return only a generic message to the client in production. Include error codes (not messages) for client-side handling.

    9. Security Headers for APIs

    Even JSON APIs benefit from security headers.

    Always include:

  • `X-Content-Type-Options: nosniff` — prevents MIME sniffing
  • `X-Frame-Options: DENY` — prevents clickjacking
  • `Cache-Control: no-store` — on sensitive data endpoints
  • `Content-Type: application/json` — explicit on all JSON responses

    • 10. Logging and Monitoring

    You can't defend what you can't see. Proper API logging is the difference between detecting a breach in minutes vs. finding out months later.

    Log every:

  • Authentication event (success, failure, with IP and user agent)
  • Authorization failure (who tried to access what)
  • Rate limit hit
  • Validation failure (field name only — never log values that might contain passwords)
  • Response time outlier (slow queries can indicate injection attempts)

    • The Quick External Audit

    After implementing these controls, verify them externally. Run a scan against your API domain and check:

  • Are any endpoints publicly accessible that shouldn't be?
  • Is TLS configured correctly with no weak ciphers?
  • Are security headers present on API responses?
  • Are any old API versions (`/api/v1/`) still accessible?

    • VulnScan.pro's Full Scan runs nuclei against your API endpoints with templates specifically targeting API vulnerabilities — auth bypass, exposed documentation, BOLA patterns, and more.

    Check your API security posture today. Run a Full Scan and get a detailed report in under 30 minutes.

    Ready to scan your attack surface?

    Find vulnerabilities before attackers do. Professional reports in minutes.

    Start Scanning →