API Security Best Practices

Why API Security Matters

APIs are the backbone of modern applications, enabling communication between services, mobile apps, and third‑party integrations. A vulnerable API can expose sensitive data, allow unauthorized actions, or become a gateway for large‑scale attacks.

Authentication & Authorization

Always enforce strong authentication mechanisms. Use OAuth 2.0 with Authorization Code Grant and PKCE for public clients.

// Example: Express middleware for JWT validation
const jwt = require('jsonwebtoken');

function verifyToken(req, res, next) {
  const token = req.headers['authorization']?.split(' ')[1];
  if (!token) return res.sendStatus(401);
  jwt.verify(token, process.env.JWT_SECRET, (err, payload) => {
    if (err) return res.sendStatus(403);
    req.user = payload;
    next();
  });
}

module.exports = verifyToken;

Leverage Role‑Based Access Control (RBAC) and validate scopes on each request.

Rate Limiting & Throttling

Prevent abuse by limiting the number of requests per IP or user token.

// Example: Using express-rate-limit
const rateLimit = require('express-rate-limit');

const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  message: 'Too many requests, please try again later.'
});

app.use('/api/', apiLimiter);

Input Validation & Sanitization

Never trust client input. Validate against a schema and sanitize to prevent injection attacks.

// Example: Joi schema validation
const Joi = require('joi');

const userSchema = Joi.object({
  email: Joi.string().email().required(),
  password: Joi.string().min(12).required(),
});

app.post('/api/register', (req, res) => {
  const { error } = userSchema.validate(req.body);
  if (error) return res.status(400).json({ error: error.details[0].message });
  // continue processing...
});

Logging & Monitoring

Record failed authentication attempts, unusually high request rates, and error responses. Centralize logs with tools like ELK or Splunk.

// Example: Winston logger for Express
const winston = require('winston');

const logger = winston.createLogger({
  level: 'info',
  transports: [
    new winston.transports.Console(),
    new winston.transports.File({ filename: 'api.log' })
  ]
});

app.use((req, res, next) => {
  logger.info(`${req.method} ${req.originalUrl} - ${req.ip}`);
  next();
});

Secure Transport (TLS)

All API traffic must be encrypted with TLS 1.2+ and strong cipher suites. Enforce HTTPS and use HSTS headers.

# Nginx snippet for strict TLS
server {
    listen 443 ssl http2;
    server_name api.example.com;

    ssl_certificate /etc/ssl/certs/api.crt;
    ssl_certificate_key /etc/ssl/private/api.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
}

Continuous Security Testing

Integrate automated security scans into your CI/CD pipeline. Tools like OWASP ZAP, SonarQube, and Snyk can detect common vulnerabilities.

• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Dependency vulnerability scanning