Home / Security Domains / API Security
OWASPNIST

🔌 API Security

Protecting APIs with authentication, rate limiting, input validation, and defenses against the OWASP API Top 10 vulnerabilities.

APIs are the connective tissue of modern applications — and a primary attack vector. Over 80% of web traffic flows through APIs. As organizations adopt microservices and cloud-native architectures, the API attack surface expands dramatically.

Vani
Vani
Choose a section to learn

📚 API Types & Categories — The Complete Reference

APIs are classified across three dimensions: who can access them, how they are architecturally designed, and how they communicate. Each dimension has direct security implications — knowing the type shapes the threat model.

🔐

Classification 1 — By Access (Who Can Call It?)

🌐
Public API
Open API

Exposed to the internet — any developer or application can call it. Often require API keys for rate limiting, but no user identity verification.

Examples: Twitter/X API, Google Maps API, OpenWeatherMap, Stripe
⚠️ Highest attack surface — exposed to automated scanners, bots, and anonymous abuse. Must enforce rate limiting, input validation, and OWASP API Top 10 controls.
🏢
Private API
Internal API

Used only within the organization — internal service-to-service communication. Not publicly accessible. Examples: HR systems, Payroll, ERP integrations, internal microservices.

Examples: Workday HR API, SAP Payroll, internal microservice mesh
⚠️ Often under-secured (false sense of safety). Insider threats and lateral movement are primary risks. Requires mTLS, service-level auth, and zero-trust principles.
🤝
Partner API
B2B API

Shared with specific trusted third parties under a business agreement. More controlled than Public — access is by invitation and governed by contracts and SLAs.

Examples: Salesforce partner integrations, payment processor B2B APIs, healthcare payer portals (HL7 FHIR)
⚠️ Third-party risk — if partner is breached, your API is exposed. Requires scoped OAuth tokens, IP allowlisting, and audit logging of all partner calls.
🔗
Composite API
Aggregation API

Combines multiple data sources or service endpoints into a single API call — reduces network overhead and simplifies client logic. Popular in microservices architectures.

Examples: BFF (Backend for Frontend), API orchestration layers, GraphQL resolvers combining multiple services
⚠️ Blast radius risk — one compromised composite API call can expose data from multiple downstream services simultaneously. Authorization must be enforced at every sub-call, not just at the entry point.
🏗️

Classification 2 — By Architecture (How Is It Built?)

TypeStyleCore CharacteristicsSecurity ConsiderationsBest Used For
🌐 RESTHTTP/CRUDStateless, resource-based URLs, standard HTTP verbs (GET/POST/PUT/DELETE). JSON/XML. Follows HTTP semantics.⚠️ OWASP API Top 10 fully applies. BOLA/IDOR on resource IDs. Missing auth on DELETE/PUT. Verbose error messages.Web & mobile apps, public APIs, microservices, CRUD operations
🏦 SOAPXML/WSXML-based, rigid contract (WSDL), built-in WS-Security standard. Stateful capable. Used in regulated industries.⚠️ XML injection, XXE (XML External Entity) attacks, SOAP action spoofing. WS-Security complex to implement correctly.Banking, healthcare (HL7), government, legacy enterprise systems
🔎 GraphQLQueryQuery language — clients specify exact data shape. Prevents over-fetching. Single endpoint. Strongly typed schema.⚠️ Introspection leaks full schema to attackers. Deeply nested queries can cause DoS. No built-in auth per field — developers must add manually. Batch query abuse.Complex UIs with flexible data needs, BFF pattern, mobile apps reducing payload size
⚡ gRPCHTTP/2Google Remote Procedure Call. Uses Protocol Buffers (binary). HTTP/2 streaming. Low latency. Strongly typed contracts.⚠️ Binary format harder to inspect in WAF/logging. Requires TLS. Service-level auth needed (not just network-level). Less tooling maturity.Internal microservices, real-time data, polyglot systems, high-performance inter-service calls
📞 RPCLegacyOldest pattern — calls remote procedures like local functions. Tightly coupled. XML-RPC and JSON-RPC variants. Direct method invocation model.⚠️ Lacks modern auth standards. Often no schema validation. Replay attacks. Tight coupling means changes ripple through systems.Legacy systems, local network communication, blockchain node interfaces (JSON-RPC)
🔄 WebSocketBi-directionalFull-duplex, persistent connection over a single TCP socket. Low latency. Server can push without client request. Upgrades from HTTP.⚠️ Auth happens only at handshake — once connected, continuous. Cross-site WebSocket hijacking (CSWSH). No built-in message-level auth. Hard to rate limit per message.Live chat, real-time sports scores, financial tickers, collaborative editing, gaming
📡

Classification 3 — By Communication (How Does It Respond?)

↔️
Synchronous APIs
Request → Response

Client sends a request and waits (blocks) for the response. The connection is held open until the server responds. Simpler to reason about but creates tight coupling — server latency directly impacts client.

Client → Request → Server → Response → Client (same connection)
Examples: REST GET /users, GraphQL queries, gRPC Unary calls, SOAP
Easier to audit and trace. Clear request-response pairs in logs.
⚠️ Vulnerable to slow-response DoS (Slowloris-style). Timeout handling errors can leak state. Connection exhaustion attacks.
🔒 Security Controls: Timeout enforcement, connection limits per client, rate limiting on request rate
📨
Asynchronous APIs
Event-Driven / WebHooks

Client sends a request and immediately receives acknowledgment — actual processing happens later. Server notifies client via Webhook, message queue, or polling when result is ready. Decoupled, scalable.

Client → Request → ACK (202) → Server processes → Webhook callback → Client
Examples: WebHooks (GitHub, Stripe, Twilio), Kafka/SQS message queues, Server-Sent Events, WebSocket push
Resilient — failures don't cascade immediately. Can buffer and retry securely.
⚠️ Webhook endpoints must validate HMAC signatures (anyone can POST to your webhook URL). Message queues need encryption at rest and in transit. Replay attack risk on event payloads.
🔒 Security Controls: HMAC signature validation on every webhook, idempotency keys, dead-letter queue auditing, payload TTL enforcement
💡 Interview Quick-Reference — API Type Security Trade-offs
REST vs GraphQL security?
REST has per-endpoint auth. GraphQL needs field-level auth + disable introspection in prod + query depth limits.
WebSocket vs REST auth?
REST auth per request. WebSocket auth only at handshake — validate JWT then, or use per-message tokens.
Private API = safe?
No. Insider threats, lateral movement. Apply zero-trust — mTLS + service identity + authorization on every call.
Composite API risk?
One call = multiple service data. Auth must be enforced at every downstream service, not just the entry point.
Webhook security?
Validate HMAC-SHA256 signature on every delivery. Without it, anyone can POST malicious payloads to your URL.
gRPC vs REST inspection?
gRPC binary format bypasses text-based WAF rules. Need gRPC-aware proxy (Envoy/nginx) for traffic inspection.

API Security Architecture

🌐 Client (Web / Mobile / Partner)
🛡️ API Gateway — Auth, Rate Limit, WAF, Logging
🔑 OAuth 2.0 / JWT / mTLS — Authentication & Authorization
📋 Input Validation & Schema Enforcement (OpenAPI)
⚙️ Microservices / Backend Logic
📊 Monitoring, Anomaly Detection & Incident Response

Defense-in-Depth for APIs

Every layer adds a security control — no single point of failure

Key Concepts

🚪 API Gateway

Centralized entry point — auth, rate limiting, routing, SSL termination, logging

Tools: Kong, Apigee, AWS API Gateway

🔑 OAuth 2.0 / OIDC

Standard authorization framework. Use Authorization Code + PKCE flow

Tools: Okta, Auth0, Keycloak

⏱️ Rate Limiting

Prevent abuse via token bucket or sliding window algorithms

Tools: API Gateway rules, nginx limits

Input Validation

Validate all inputs against OpenAPI/Swagger schemas

Tools: JSON Schema, Joi, Zod

🔍 API Discovery

Maintain inventory of all APIs — find shadow/deprecated endpoints

Tools: Salt Security, Traceable, Noname

📡 API Monitoring & WAF

Real-time anomaly detection, bot mitigation, abuse patterns

Tools: AWS WAF, Cloudflare, Datadog

🛡️ OWASP API Security Top 10 (2023)

The most critical API-specific vulnerabilities — from broken authorization to unsafe third-party consumption.

IDVulnerabilityRiskDescriptionKey Mitigation
API1Broken Object Level AuthorizationCriticalManipulating IDs to access other users' dataServer-side auth per object, UUIDs
API2Broken AuthenticationCriticalWeak auth mechanisms, missing token validationOAuth 2.0/OIDC, short-lived tokens
API3Object Property Level AuthHighExposing/modifying restricted object propertiesExplicit response schemas, allowlist fields
API4Unrestricted Resource ConsumptionHighNo rate limits → DoS or financial damageRate limiting, pagination, payload limits
API5Broken Function Level AuthHighRegular users accessing admin endpointsRBAC, deny by default, auth middleware
API6Unrestricted Sensitive FlowsMediumAutomated abuse of business-critical APIsBot detection, CAPTCHA, rate limiting
API7Server Side Request ForgeryHighFetching attacker-controlled URLsURL allowlisting, network segmentation
API8Security MisconfigurationMediumMissing headers, CORS misconfig, verbose errorsHardening, automated config scanning
API9Improper Inventory ManagementMediumShadow APIs, deprecated endpoints still liveAPI discovery tools, version management
API10Unsafe Consumption of APIsMediumTrusting third-party API data without validationValidate all responses, circuit breakers

Interview Preparation

💡 Interview Question

What are the different types of APIs and their security implications?

APIs are classified 3 ways:

1BY ACCESS — Public (internet-facing, highest attack surface — OWASP API Top 10 fully applies), Private/Internal (insider threat, lateral movement risk — apply zero-trust/mTLS), Partner/B2B (third-party risk — scoped tokens + IP allowlisting), Composite (blast radius risk — one call exposes multiple services).

2BY ARCHITECTURE — REST (BOLA/IDOR on resource IDs), GraphQL (introspection leaks schema, deep query DoS — disable introspection in prod), gRPC (binary format evades WAF — need gRPC-aware proxy), SOAP (XXE attacks via XML), WebSocket (auth only at handshake — CSWSH risk).

3BY COMMUNICATION — Synchronous (connection exhaustion attacks, timeout mishandling), Asynchronous/WebHooks (HMAC signature validation critical — anyone can POST to webhook URL without it).

💡 Interview Question

How do you prevent Broken Object Level Authorization (BOLA)?

BOLA (also called IDOR) occurs when the API doesn't verify that the authenticated user has permission to access the requested object. Mitigations:

1Implement authorization checks on every object access — don't rely on obscurity of IDs.

2Use UUIDs instead of sequential IDs (defense in depth, not primary control).

3Check object ownership: if(object.userId !== currentUser.id) deny.

4Log and alert on authorization failures.

5Write automated tests for authorization.

6Use API gateway policies for object-level enforcement.

💡 Interview Question

How would you design a secure API authentication architecture?

1) Use OAuth 2.0 with Authorization Code + PKCE flow (not implicit).

2JWTs for stateless auth with short expiry (15 min) and refresh tokens.

3API keys only for server-to-server, never exposed client-side.

4Mutual TLS (mTLS) for internal service mesh communication.

5Rate limit auth endpoints aggressively.

6Implement account lockout and CAPTCHA for brute force.

7Use API gateway as centralized auth enforcement point.

8Rotate credentials regularly and monitor for leaked tokens.

Framework Mapping

FrameworkRelevant Controls
OWASPAPI Security Top 10 (2023), API Security Testing Guide
NISTSP 800-53 AC-3 (Access Enforcement), IA-8 (Identification), SC-13 (Crypto)

Related Domains

🛡️

Application Security

Full app lifecycle security

🔑

IAM

API authentication

🤖

AI Security

AI model API protection

AIMIT
AIMIT 🛡️
On Duty AvatarVani