API Security: Best Practices for Protecting REST and GraphQL APIs

API security encompasses the practices and controls that protect application programming interfaces from unauthorized access, data exposure, and abuse. As APIs become the primary integration layer for modern applications, they have become the most targeted attack surface—accounting for over 80% of web traffic and an increasing share of data breaches.

APIs differ from traditional web applications in ways that make them uniquely vulnerable:

• Direct data access: APIs expose business logic and data directly, without the mediation of a UI that limits what users can request
• Machine-to-machine communication: Automated clients can probe APIs at scale, testing thousands of endpoints and parameter combinations
• Multiple consumers: A single API may serve web frontends, mobile apps, third-party integrations, and internal services—each with different trust levels
• Stateless design: REST APIs authenticate each request independently, making token management and validation critical

Both REST and GraphQL APIs face these challenges, though the attack patterns differ. REST APIs are vulnerable to endpoint enumeration and broken object-level authorization (BOLA). GraphQL APIs face query depth attacks, introspection leaks, and batching abuse that can extract large datasets in a single request.

API vulnerabilities fall into categories that mirror the OWASP API Security Top 10:

Authentication and Authorization

• Missing authentication: API endpoints that accept requests without validating identity. Internal APIs exposed to the internet without auth middleware are a frequent finding.
• Broken Object Level Authorization (BOLA): Authenticated users can access other users' resources by manipulating object IDs in API requests (e.g., /api/users/123/records changed to /api/users/456/records).
• API key exposure: Keys hardcoded in client-side JavaScript, committed to version control, or logged in error messages.

Configuration and Transport

• CORS misconfiguration: Overly permissive Cross-Origin Resource Sharing headers (Access-Control-Allow-Origin: *) allow any website to make authenticated requests to the API.
• Insecure HTTP: API endpoints serving over HTTP instead of HTTPS, exposing tokens and data to network interception.
• Missing rate limiting: APIs without request throttling are vulnerable to brute force attacks, credential stuffing, and denial-of-service.

Data Exposure

• Excessive data exposure: APIs returning full database objects instead of filtered responses, leaking sensitive fields the client does not need.
• Verbose error messages: Stack traces, database schema details, or internal paths returned in API error responses.

The OWASP API Security Top 10 identifies the most critical API-specific risks. Unlike the general OWASP Top 10, it focuses on vulnerabilities unique to API architectures:

• API1 - Broken Object Level Authorization: The most common API vulnerability. Attackers manipulate object IDs to access unauthorized resources.
• API2 - Broken Authentication: Weak token validation, missing authentication on endpoints, or token leakage.
• API3 - Broken Object Property Level Authorization: Mass assignment and excessive data exposure through unfiltered object properties.
• API4 - Unrestricted Resource Consumption: Missing rate limiting and resource quotas leading to DoS and cost exploitation.
• API5 - Broken Function Level Authorization: Users accessing administrative functions by changing HTTP methods or endpoint paths.
• API6 - Unrestricted Access to Sensitive Business Flows: Automated abuse of business logic (ticket scalping, mass account creation).
• API7 - Server Side Request Forgery: APIs that fetch user-supplied URLs without validation.
• API8 - Security Misconfiguration: Permissive CORS, missing security headers, default credentials, unnecessary HTTP methods enabled.
• API9 - Improper Inventory Management: Untracked API versions, deprecated endpoints still accessible, shadow APIs.
• API10 - Unsafe Consumption of APIs: Trusting data from third-party APIs without validation.

These categories highlight that API security is fundamentally about authorization and access control, not just input validation.

CodeSlick includes 5 specialized API security checks that detect the most exploitable API vulnerabilities in your source code:

• Insecure HTTP: Flags API endpoints and fetch calls using http:// instead of https://, preventing data interception on the wire
• Missing Authentication: Identifies API route handlers without authentication middleware or token validation
• API Key Exposure: Detects API keys hardcoded in source files, client-side code, and configuration objects
• CORS Misconfiguration: Flags wildcard origins (*), reflected origins, and permissive CORS headers that allow unauthorized cross-origin access
• Rate Limiting Gaps: Identifies API endpoints missing request throttling, leaving them open to brute force and abuse

These checks run across JavaScript, TypeScript, Python, Java, and Go in under 3 seconds. All findings include OWASP API Top 10 mapping and AI-powered fix suggestions.