API Security#

Reference of API design styles, authentication / authorization patterns, the OWASP API Security Top 10, gateway products, and discovery / testing tools. Useful for AppSec review, pentest scoping, and threat-model design.

For broader web hacking, see Hacking. For identity providers / OAuth, see Identity Providers (IdPs). For WAFs + CDN-bundled API protection, see CDNs & Edge.

API styles#

Style

Notes

REST

HTTP verbs + resources; JSON; the dominant style. Spec via OpenAPI 3.x (formerly Swagger).

GraphQL

Query language; single endpoint; introspection (often left on). Spec by Meta.

gRPC

HTTP/2 + Protocol Buffers; bidirectional streaming; Google.

gRPC-Web

Browser-compatible gRPC over HTTP/1.1.

SOAP

XML; WS-* family; legacy enterprise.

JSON-RPC / XML-RPC

Light RPC.

WebSocket

Persistent bidirectional; upgrade from HTTP.

WebRTC

Real-time peer-to-peer media + data; STUN/TURN.

Webhook

Outbound HTTP from one app to another.

Server-Sent Events

Unidirectional server-to-client over HTTP.

EDA / event-driven

Async; AsyncAPI spec.

Authentication patterns#

Pattern

Notes

API key

Long-lived shared secret; usually a header (X-API-Key) or query. Easy + insecure for client-side use.

Basic Auth

Base64(user:pass); use only over TLS.

Bearer + JWT

Authorization: Bearer <token>; JWT signed by issuer.

Bearer + opaque

Same; opaque token requires introspection (RFC 7662).

OAuth 2.0 client_cre dentials

Server-to-server access tokens.

OAuth 2.0 authorisat

ion code + PKCE User-delegated; the modern web/mobile default.

OIDC + ID token

OAuth + identity layer.

OAuth 2.0 device cod e

TV / CLI flow.

mTLS

Client cert + server cert; common for B2B.

DPoP

Demonstration of PoP; sender-constrained tokens.

HTTP Sig

Signed HTTP requests; AWS SigV4 / Stripe / Mastodon use this.

HMAC signing

Shared-secret HMAC over standard request.

JWS / JWT bearer

Signed JWT as auth assertion.

PASETO

JWT alternative without algorithm confusion.

SCIM

User provisioning, not auth per se.

OWASP API Security Top 10 (2023)#

ID

Description

API1:2023

Broken Object Level Authorization (BOLA), IDOR / per-object authz failure.

API2:2023

Broken Authentication, weak / missing auth, JWT misuse.

API3:2023

Broken Object Property Level Authorization, mass assignment + excessive data exposure.

API4:2023

Unrestricted Resource Consumption, no rate limit, no quota.

API5:2023

Broken Function Level Authorization, missing privilege checks.

API6:2023

Unrestricted Access to Sensitive Business Flows, bot abuse of legit flows.

API7:2023

Server-Side Request Forgery (SSRF), API takes URL input.

API8:2023

Security Misconfiguration, defaults, verbose errors, CORS.

API9:2023

Improper Inventory Management, shadow / zombie / deprecated APIs.

API10:2023

Unsafe Consumption of APIs, trust of third-party API output.

API gateway products#

Product

Vendor

Notes

Kong Gateway

Kong Inc.

OSS Lua/Nginx-based; the OSS leader.

Kong Konnect

Kong

Cloud control plane.

Apigee

Google

Acquired 2016; the enterprise default.

AWS API Gateway

AWS

Managed (REST + HTTP + WebSocket).

Azure API Management

Microsoft

Managed.

Tyk

Tyk

OSS + commercial.

Amazon Application S ignals

AWS

Application observability.

NGINX / NGINX Plus

F5 / NGINX

Reverse proxy + API gateway.

Envoy + Istio Gatewa y

CNCF

Service-mesh + API.

Traefik

Traefik

K8s-native gateway.

Krakend / Lura

Krakend

Open-source gateway.

WSO2 API Manager

WSO2

OSS + commercial.

Mulesoft Anypoint

Salesforce

Enterprise.

IBM API Connect

IBM

Enterprise.

SAP API Management

SAP

Enterprise.

Cloudflare API Gateway

Cloudflare

Cloudflare’s API security.

Google Cloud Endpoints + Apigee

Google

Managed.

API security products#

Vendor

Notes

Salt Security

API discovery + runtime; bought by Akamai 2024.

Noname Security

API discovery + runtime; bought by Akamai 2024.

Traceable AI

Distributed-tracing-based API security.

Cequence Security

API protection.

Imperva API Security

API gateway security.

Wallarm

API security + WAAP.

42Crunch

API security + OAS scanning.

APIsec

Auto-generated API tests.

Akamai API Security

Acquired Noname + Salt.

Cloudflare API Shield

Cloudflare; schema validation + abuse detection.

Microsoft Defender for APIs

MS-native discovery + protection.

F5 Distributed Cloud

API discovery.

Datadog ASM

Application Security Management.

Discovery / testing#

Tool

Notes

Burp Suite

PortSwigger; the standard manual + automated tester.

ZAP

OWASP free alternative.

Caido

Modern Burp alternative.

Postman / Insomnia

API client + test.

mitmproxy

Python proxy + scripting.

nuclei

Templates for API CVEs.

Akto

Open-source API security testing.

OWASP API Security Test Project

Project home.

APIsec / Pynt / Nost ra

Commercial dynamic.

schemathesis

Property-based OpenAPI testing.

Swagger Codegen / OAS -tools

Schema tooling.

Spectral

Stoplight; OpenAPI linter.

Postman API Security

Postman’s built-in scanning.

Gobuster / FFUF / Dir yield

Endpoint discovery.

JWT_Tool

JWT manipulation.

GraphQL Voyager

Schema exploration.

GraphCrawler

GraphQL pentest.

clairvoyance

GraphQL introspection bypass.

inql

GraphQL Burp extension.

JWT pitfalls#

Pitfall

Notes

alg=none

Spec-allowed; many libs accept; refuse explicitly.

HS256 vs RS256

Algorithm confusion; force only the algorithm you signed with.

jku / jwk / kid

Header parameters that fetch public keys; SSRF / key substitution risk.

Long TTL

Reduces revocation effectiveness; pair with refresh tokens + revocation endpoint.

No revocation

JWTs are stateless; need explicit revocation list or short TTL.

Sensitive claims

Don’t put PII / secrets in JWT body (it’s just base64).

None of the above

Use the platform JWT lib correctly; never roll your own.

Operator notes#

  • Inventory first, you can’t secure what you can’t see. Many breaches start in shadow / zombie / forgotten APIs (API9). Discovery is the highest-ROI control.

  • Per-object authz on every request, BOLA / IDOR is the #1 API risk; centralised authz layer (OPA / Cedar / Casbin) helps.

  • Schema-first, OpenAPI / GraphQL SDL / proto files enable validation, codegen, and testing.

  • Rate-limit every endpoint, account-level + IP-level + per-token; protect login + signup.

  • Token-binding (DPoP / mTLS) for high-value APIs; bearer-only is too phishable.

  • Disable GraphQL introspection in prod; never expose field-suggestions.

  • CORS = allow specific origins only; * is a code smell.

  • Don’t echo error stacks to API consumers.

  • Trust no third-party API output, API10; treat upstream JSON as user input.

  • API gateway is not a WAF, pair with WAF / WAAP for L7 protection (see CDNs & Edge).

References#