API Security Guide
Complete guide to securing API endpoints in AI-generated backends. Learn how to protect REST and GraphQL APIs with proper authentication, authorization, validation, and rate limiting.
Authentication is Not Authorization
AI-generated APIs often verify user identity (authentication) but skip permission checks (authorization). Knowing who the user is does not mean they have permission to access the requested resource. Every endpoint must verify both identity and permissions.
API Security Implementation Checklist
Follow these 12 steps to properly secure your API endpoints. Critical items must be implemented for every API endpoint handling user data.
Require authentication for all endpoints
Verify JWT tokens, API keys, or session cookies on every API request. Never assume client authentication from previous requests.
Implement authorization checks
Verify the authenticated user has permission to access the requested resource. Check user_id matches or role allows the operation.
Validate all input parameters
Sanitize and validate query parameters, request body, headers, and path parameters. Reject requests with invalid or missing required fields.
Use HTTPS for all endpoints
Enforce TLS/SSL on all API endpoints. Redirect HTTP to HTTPS and use HSTS headers to prevent downgrade attacks.
Implement rate limiting
Limit requests per user, IP, or API key to prevent abuse and denial of service attacks. Use different limits for authenticated vs anonymous users.
Sanitize error messages
Return generic error messages to clients. Never expose stack traces, SQL queries, file paths, or internal system details in API responses.
Validate content-type headers
Verify Content-Type matches expected format. Reject requests with mismatched or missing Content-Type to prevent MIME confusion attacks.
Set secure CORS policies
Configure CORS to allow only trusted origins. Never use Access-Control-Allow-Origin: * for authenticated APIs.
Implement request size limits
Set maximum payload sizes for request bodies to prevent resource exhaustion. Reject oversized file uploads and JSON payloads.
Use API versioning
Version your API endpoints to allow secure deprecation of vulnerable endpoints without breaking existing clients.
Log security events
Log authentication failures, authorization denials, rate limit violations, and suspicious request patterns for monitoring and incident response.
Implement idempotency for mutations
Use idempotency keys for POST, PUT, DELETE operations to prevent duplicate submissions and replay attacks.
Common API Security Issues
Missing Authorization Checks
CriticalAuthentication verifies identity but no authorization check confirms user has permission to access the resource
Direct Object References
CriticalAPI endpoints use database IDs in URLs without verifying the authenticated user owns or can access the resource
Excessive Data Exposure
HighAPI responses return entire database objects including sensitive fields instead of filtering to necessary data
No Rate Limiting
HighAPIs allow unlimited requests, enabling brute force attacks, credential stuffing, and resource exhaustion
Related Resources
Test Your API Security
VibeEval automatically tests your API endpoints for authentication bypasses, authorization flaws, injection vulnerabilities, and rate limiting gaps to identify security issues before attackers do.
Start Free API Security Scan