appendix A API security checklist
A common concern among API developers is whether they’ve done everything they can to ensure that their APIs are secure. Many developers ask for a checklist that allows them to determine whether there’s anything else left to do. This appendix provides such a checklist. As you’ve learned throughout the book and as is clear from this appendix, security cannot be a last-minute concern in your API development process. If you’re serious about API security, you must build security into your APIs by shifting your security efforts to the left—that is, to the beginning of the API development process. That’s why the first sections of this appendix deal with API design and implementation, followed by authentication and authorization, infrastructure, and observability. The goal is to build security into each of these building blocks. Every section of the appendix maps to one or more chapters of the book, as indicated.
A.1 Design
Chapters 2, 3, and 6
-
- Consolidate your API design with an interface description language such as OpenAPI or Schema Definition Language (SDL).
- Test the design for security vulnerabilities (e.g., with Spectral).
- Constrain every input schema and parameter.
- Threat-model the design.
- Describe your expected user flows using a standard format (such as Arazzo) and threat-model the flows.
A.2 Implementation
Chapters 4, 5, and 12