API Security#
Reference of API design styles, authentication / authorization patterns, the OWASP API Security Top 10, gateway products, and discovery / testing tools. Useful for AppSec review, pentest scoping, and threat-model design.
For broader web hacking, see Hacking. For identity providers / OAuth, see Identity Providers (IdPs). For WAFs + CDN-bundled API protection, see CDNs & Edge.
API styles#
Style |
Notes |
|---|---|
REST |
HTTP verbs + resources; JSON; the dominant style. Spec via OpenAPI 3.x (formerly Swagger). |
GraphQL |
Query language; single endpoint; introspection (often left on). Spec by Meta. |
gRPC |
HTTP/2 + Protocol Buffers; bidirectional streaming; Google. |
gRPC-Web |
Browser-compatible gRPC over HTTP/1.1. |
SOAP |
XML; WS-* family; legacy enterprise. |
JSON-RPC / XML-RPC |
Light RPC. |
WebSocket |
Persistent bidirectional; upgrade from HTTP. |
WebRTC |
Real-time peer-to-peer media + data; STUN/TURN. |
Webhook |
Outbound HTTP from one app to another. |
Server-Sent Events |
Unidirectional server-to-client over HTTP. |
EDA / event-driven |
Async; AsyncAPI spec. |
Authentication patterns#
Pattern |
Notes |
|---|---|
API key |
Long-lived shared secret; usually a header (X-API-Key) or query. Easy + insecure for client-side use. |
Basic Auth |
Base64(user:pass); use only over TLS. |
Bearer + JWT |
Authorization: Bearer <token>; JWT signed by issuer. |
Bearer + opaque |
Same; opaque token requires introspection (RFC 7662). |
OAuth 2.0 client_cre dentials |
Server-to-server access tokens. |
OAuth 2.0 authorisat |
ion code + PKCE User-delegated; the modern web/mobile default. |
OIDC + ID token |
OAuth + identity layer. |
OAuth 2.0 device cod e |
TV / CLI flow. |
mTLS |
Client cert + server cert; common for B2B. |
DPoP |
Demonstration of PoP; sender-constrained tokens. |
HTTP Sig |
Signed HTTP requests; AWS SigV4 / Stripe / Mastodon use this. |
HMAC signing |
Shared-secret HMAC over standard request. |
JWS / JWT bearer |
Signed JWT as auth assertion. |
PASETO |
JWT alternative without algorithm confusion. |
SCIM |
User provisioning, not auth per se. |
OWASP API Security Top 10 (2023)#
ID |
Description |
|---|---|
API1:2023 |
Broken Object Level Authorization (BOLA), IDOR / per-object authz failure. |
API2:2023 |
Broken Authentication, weak / missing auth, JWT misuse. |
API3:2023 |
Broken Object Property Level Authorization, mass assignment + excessive data exposure. |
API4:2023 |
Unrestricted Resource Consumption, no rate limit, no quota. |
API5:2023 |
Broken Function Level Authorization, missing privilege checks. |
API6:2023 |
Unrestricted Access to Sensitive Business Flows, bot abuse of legit flows. |
API7:2023 |
Server-Side Request Forgery (SSRF), API takes URL input. |
API8:2023 |
Security Misconfiguration, defaults, verbose errors, CORS. |
API9:2023 |
Improper Inventory Management, shadow / zombie / deprecated APIs. |
API10:2023 |
Unsafe Consumption of APIs, trust of third-party API output. |
API gateway products#
Product |
Vendor |
Notes |
|---|---|---|
Kong Gateway |
Kong Inc. |
OSS Lua/Nginx-based; the OSS leader. |
Kong Konnect |
Kong |
Cloud control plane. |
Apigee |
Acquired 2016; the enterprise default. |
|
AWS API Gateway |
AWS |
Managed (REST + HTTP + WebSocket). |
Azure API Management |
Microsoft |
Managed. |
Tyk |
Tyk |
OSS + commercial. |
Amazon Application S ignals |
AWS |
Application observability. |
NGINX / NGINX Plus |
F5 / NGINX |
Reverse proxy + API gateway. |
Envoy + Istio Gatewa y |
CNCF |
Service-mesh + API. |
Traefik |
Traefik |
K8s-native gateway. |
Krakend / Lura |
Krakend |
Open-source gateway. |
WSO2 API Manager |
WSO2 |
OSS + commercial. |
Mulesoft Anypoint |
Salesforce |
Enterprise. |
IBM API Connect |
IBM |
Enterprise. |
SAP API Management |
SAP |
Enterprise. |
Cloudflare API Gateway |
Cloudflare |
Cloudflare’s API security. |
Google Cloud Endpoints + Apigee |
Managed. |
API security products#
Vendor |
Notes |
|---|---|
Salt Security |
API discovery + runtime; bought by Akamai 2024. |
Noname Security |
API discovery + runtime; bought by Akamai 2024. |
Traceable AI |
Distributed-tracing-based API security. |
Cequence Security |
API protection. |
Imperva API Security |
API gateway security. |
Wallarm |
API security + WAAP. |
42Crunch |
API security + OAS scanning. |
APIsec |
Auto-generated API tests. |
Akamai API Security |
Acquired Noname + Salt. |
Cloudflare API Shield |
Cloudflare; schema validation + abuse detection. |
Microsoft Defender for APIs |
MS-native discovery + protection. |
F5 Distributed Cloud |
API discovery. |
Datadog ASM |
Application Security Management. |
Discovery / testing#
Tool |
Notes |
|---|---|
Burp Suite |
PortSwigger; the standard manual + automated tester. |
ZAP |
OWASP free alternative. |
Caido |
Modern Burp alternative. |
Postman / Insomnia |
API client + test. |
mitmproxy |
Python proxy + scripting. |
nuclei |
Templates for API CVEs. |
Akto |
Open-source API security testing. |
OWASP API Security Test Project |
Project home. |
APIsec / Pynt / Nost ra |
Commercial dynamic. |
schemathesis |
Property-based OpenAPI testing. |
Swagger Codegen / OAS -tools |
Schema tooling. |
Spectral |
Stoplight; OpenAPI linter. |
Postman API Security |
Postman’s built-in scanning. |
Gobuster / FFUF / Dir yield |
Endpoint discovery. |
JWT_Tool |
JWT manipulation. |
GraphQL Voyager |
Schema exploration. |
GraphCrawler |
GraphQL pentest. |
clairvoyance |
GraphQL introspection bypass. |
inql |
GraphQL Burp extension. |
JWT pitfalls#
Pitfall |
Notes |
|---|---|
alg=none |
Spec-allowed; many libs accept; refuse explicitly. |
HS256 vs RS256 |
Algorithm confusion; force only the algorithm you signed with. |
jku / jwk / kid |
Header parameters that fetch public keys; SSRF / key substitution risk. |
Long TTL |
Reduces revocation effectiveness; pair with refresh tokens + revocation endpoint. |
No revocation |
JWTs are stateless; need explicit revocation list or short TTL. |
Sensitive claims |
Don’t put PII / secrets in JWT body (it’s just base64). |
None of the above |
Use the platform JWT lib correctly; never roll your own. |
Operator notes#
Inventory first, you can’t secure what you can’t see. Many breaches start in shadow / zombie / forgotten APIs (API9). Discovery is the highest-ROI control.
Per-object authz on every request, BOLA / IDOR is the #1 API risk; centralised authz layer (OPA / Cedar / Casbin) helps.
Schema-first, OpenAPI / GraphQL SDL / proto files enable validation, codegen, and testing.
Rate-limit every endpoint, account-level + IP-level + per-token; protect login + signup.
Token-binding (DPoP / mTLS) for high-value APIs; bearer-only is too phishable.
Disable GraphQL introspection in prod; never expose field-suggestions.
CORS = allow specific origins only; * is a code smell.
Don’t echo error stacks to API consumers.
Trust no third-party API output, API10; treat upstream JSON as user input.
API gateway is not a WAF, pair with WAF / WAAP for L7 protection (see CDNs & Edge).