Skip to content

API Security Checklist

A comprehensive 12-point security checklist for hardening your API before deployment to production.

Apidly TeamJanuary 10, 2026
securitydeploymentchecklist

Why You Need a Security Checklist

API security incidents are among the most common attack vectors in modern applications. The OWASP API Security Top 10 highlights vulnerabilities that affect APIs of all sizes, from startups to enterprises. A structured checklist ensures you address each critical area systematically before exposing your API to production traffic.

Use this checklist during development, before every major release, and as part of periodic security reviews.

The Checklist

1. Enforce HTTPS Everywhere

All API endpoints must be served exclusively over HTTPS with TLS 1.2 or higher. Redirect or reject any HTTP requests. Ensure your TLS certificates are valid, not expired, and issued by a trusted certificate authority.

Verification: Attempt to access your API over plain HTTP and confirm the request is either redirected to HTTPS or rejected entirely.

2. Implement Authentication on Every Endpoint

Every API endpoint must require authentication unless it is explicitly designed to be public. Use established standards such as OAuth2 bearer tokens, API keys, or JWTs. Never rely on obscurity (hard-to-guess URLs) as a substitute for proper authentication.

Verification: Send requests without authentication credentials to every endpoint and confirm they return 401 Unauthorized.

3. Apply Authorization Checks

Authentication confirms identity; authorization confirms permission. Verify that each authenticated user or client has the specific permissions required for the requested operation. Implement role-based or attribute-based access control.

Verification: Authenticate as a user with limited permissions and attempt to access resources or operations they should not be allowed to use.

4. Validate All Input

Validate every piece of input your API receives: path parameters, query strings, headers, and request bodies. Use schema validation to enforce types, formats, lengths, and allowed values. Reject any request that does not conform to the expected schema.

Verification: Send malformed, oversized, and unexpected input to each endpoint and confirm it is rejected with appropriate error messages.

5. Implement Rate Limiting

Apply rate limits to all endpoints to protect against abuse, brute-force attacks, and denial-of-service attempts. Use different limits for different endpoint categories (authentication endpoints should have stricter limits). Return standard rate limit headers in responses.

Verification: Send requests exceeding the configured limit and confirm you receive 429 Too Many Requests responses.

6. Sanitize Output

Never include sensitive internal details in API responses. Remove stack traces, database query details, internal IPs, and debug information from production responses. Use generic error messages for server errors.

Verification: Trigger various error conditions and inspect responses for leaked internal information.

7. Protect Against Injection Attacks

Use parameterized queries for all database operations to prevent SQL injection. Sanitize data used in system commands to prevent command injection. Encode output to prevent cross-site scripting when API responses are rendered in browsers.

Verification: Submit common injection payloads (SQL, NoSQL, command injection) and confirm they are handled safely.

8. Enable CORS Properly

Configure Cross-Origin Resource Sharing (CORS) headers to allow requests only from trusted origins. Never use a wildcard (*) for the Access-Control-Allow-Origin header on authenticated endpoints. Be explicit about allowed methods and headers.

Verification: Make requests from unauthorized origins and confirm they are blocked by CORS policy.

9. Log and Monitor API Activity

Log all authentication attempts, authorization failures, rate limit violations, and unusual request patterns. Send logs to a centralized logging system and set up alerts for suspicious activity. Ensure logs do not contain sensitive data such as passwords or tokens.

Verification: Review logs for completeness and confirm that alerting triggers correctly for simulated suspicious activity.

10. Encrypt Sensitive Data at Rest

Encrypt all sensitive data stored in databases, caches, and file systems using AES-256 or equivalent encryption. Manage encryption keys using a dedicated key management service. Rotate keys on a regular schedule.

Verification: Inspect stored data directly in the database and confirm sensitive fields are encrypted and not stored in plaintext.

11. Implement Request Size Limits

Set maximum payload sizes for all endpoints to prevent memory exhaustion attacks. Configure limits at both the application level and the reverse proxy or API gateway level. Return 413 Payload Too Large for oversized requests.

Verification: Send requests with payloads exceeding the configured limit and confirm they are rejected.

12. Use Security Headers

Include security-relevant HTTP headers in all API responses:

  • Strict-Transport-Security to enforce HTTPS
  • X-Content-Type-Options: nosniff to prevent MIME sniffing
  • X-Frame-Options: DENY to prevent clickjacking
  • Cache-Control: no-store for responses containing sensitive data

Verification: Inspect response headers from your API and confirm all security headers are present and correctly configured.

After Completing the Checklist

Once all 12 items are addressed, schedule regular security reviews (at least quarterly) and re-run this checklist before every major release. Consider engaging a third-party penetration testing firm annually to identify vulnerabilities that internal reviews may miss.