Appendix A. API security checklist

 

A common concern among API developers is whether they’ve done everything they can to ensure their APIs are secure, and many developers ask for a checklist that allows them to determine if there’s anything else left to do. This appendix provides such a checklist. As you’ve learned throughout the book and is clear from this appendix, security cannot be a last-minute concern in your API development process. If you’re serious about API security, you must build security into your APIs by shifting your security efforts to the left; that is, to the beginning of the API development process. That’s why the first section of this appendix deals with API design and follows with implementation, and finally, authentication and authorization, infrastructure, and observability. The goal is to build security into each of these building blocks. Each section of the appendix maps to one or more chapters of the book, as indicated.

A.1 Design

Chapters 2, 3, and 6.

  • Consolidate your API design an interface description language (IDL) like OpenAPI, Schema Definition Language (SDL), etc.
  • Test the design for security vulnerabilities (e.g. with Spectral).
  • Constrain every input schema and parameter.
  • Threat model the design.
  • Describe your expected user flows using a standard format (Arazzo) and threat model the flows.

A.2 Implementation

Chapters 4, 5, and 12.

A.3 Authentication and authorization

A.4 Infrastructure

A.5 Observability