All posts
·Candela Team

The API Security Checklist Every Team Should Follow

APIs are the most common attack vector we see in pentests. Here's how to lock them down.

apisecurityengineering

In every pentest we run, APIs are the number one source of critical findings. Not because teams don't care about security — but because APIs expose business logic in ways that are hard to secure by default.

Here's the checklist we give every client after a test.

Authentication

  • Use short-lived tokens. JWTs should expire in minutes, not days. Refresh tokens should be rotatable.
  • Validate tokens on every request. Don't trust client-side state. Verify the signature, expiration, and claims server-side.
  • Rate-limit auth endpoints. Login, registration, and password reset endpoints are brute-force magnets. Rate-limit aggressively.

Authorization

This is where most breaches happen. Authentication proves who you are. Authorization proves what you can do.

  • Check permissions server-side. Every. Single. Endpoint. Never rely on the client to enforce access.
  • Test for IDOR. Can user A access user B's data by changing an ID in the URL? This is the most common vulnerability we find.
  • Use least-privilege defaults. New roles should start with zero access and explicitly grant permissions.

Input validation

  • Validate and sanitize all input. Never trust anything from the client — query params, headers, body, file uploads.
  • Use allowlists, not blocklists. Define what's acceptable rather than trying to block what's bad.
  • Limit payload sizes. Prevent denial-of-service through oversized requests.

Error handling

  • Don't leak stack traces. Production APIs should return generic error messages. Log the details server-side.
  • Use consistent error formats. Inconsistent errors help attackers map your API's internals.
  • Handle edge cases. What happens with null values, empty arrays, negative numbers, Unicode characters?

Monitoring

  • Log every API call. Include timestamp, user, endpoint, response code, and IP. You'll need this for incident response.
  • Alert on anomalies. Sudden spikes in 403s, unusual geographic access patterns, or bulk data exports should trigger alerts.
  • Audit sensitive operations. Password changes, permission modifications, and data exports should have enhanced logging.

The meta-checklist

  • Run a pentest specifically targeting your APIs
  • Review your API documentation for accuracy (outdated docs = hidden endpoints)
  • Check that deprecated endpoints are actually disabled
  • Verify your API gateway enforces all security policies

Want us to test your APIs? We find what automated scanners miss. Book a free 20-minute consultation.

Frequently Asked Questions

What are the most common API security vulnerabilities?

The most common issues we find in pentests are broken authorization (IDOR), where users can access other users' data by changing an ID; missing server-side permission checks; overly permissive authentication tokens; and insufficient input validation. These are consistently the top critical findings across engagements.

How do you secure an API?

Start with the fundamentals: use short-lived tokens, validate permissions server-side on every endpoint, sanitize all input with allowlists, never leak stack traces in production, and log every API call for monitoring. Then test it with a penetration test specifically targeting your APIs.

What is IDOR and why is it dangerous?

IDOR (Insecure Direct Object Reference) is when a user can access another user's data by changing an identifier in the API request — like changing a user ID in the URL. It's the most common vulnerability we find in pentests because it's easy to miss in development but trivial for an attacker to exploit.

Should you pentest APIs separately from web applications?

Yes. APIs expose business logic that web application tests may not cover, especially internal or mobile-facing APIs. A dedicated API pentest examines authentication, authorization, input validation, and rate limiting in depth. Many critical findings we discover are in API endpoints that weren't tested during a standard web app assessment.

Want to secure your company?

Book a free 20-minute consultation with our security team.

Book your free call