APIs are the backbone of modern applications — and the primary attack surface. Whether you’re building REST endpoints or GraphQL resolvers, these security practices should be non-negotiable.
Authentication & API Keys
API keys are not authentication. They identify the calling application, not the user. For user-scoped operations, you need proper authentication:
- Use OAuth 2.0 or OpenID Connect for user authentication flows.
- Short-lived access tokens (15 minutes or less) with refresh token rotation.
- API keys should be treated as secrets — never committed to repositories or exposed in client-side code.
Rate Limiting & Throttling
Every public API endpoint needs rate limiting. Without it, you’re one script away from a denial-of-service situation.
- Implement tiered rate limits: stricter for authentication endpoints, more generous for read operations.
- Return proper
429 Too Many Requestsresponses withRetry-Afterheaders. - Consider using a sliding window algorithm rather than fixed windows to prevent burst abuse.
Input Validation
- Validate request body schemas strictly. Reject unexpected fields.
- Set maximum payload sizes. A 100MB JSON body shouldn’t reach your business logic.
- For GraphQL, implement query depth limiting and complexity analysis to prevent resource exhaustion.
Data Exposure
The principle of least privilege applies to API responses too:
- Never return more data than the client needs. Over-fetching is a security risk.
- Filter sensitive fields (passwords, internal IDs, email addresses) at the serialization layer.
- Implement field-level authorization for sensitive data.
Securing APIs is an ongoing process. Regular penetration testing and automated security scanning should be part of your CI/CD pipeline.