Experiencing a security incident? Get emergency response →
All Whitepapers

Whitepaper · API Security

API Security Best Practices

Authentication, authorization and rate-limiting patterns that hold up, based on how CipherTrivia's API security team actually tests REST and GraphQL APIs, mapped to the OWASP API Security Top 10.

Category:
API Security
Read time:
11 minutes
Based on:
OWASP API Security Top 10 + CipherTrivia engagement data

Overview

APIs are now how most applications actually move data: between your frontend and backend, between microservices, and between your platform and partner integrations. That also makes them the most direct path to your data for an attacker, because an API often skips the validation and rate-limiting that a browser-based UI takes for granted.

This guide walks through the OWASP API Security Top 10 the way our team applies it during an engagement, a reference architecture for a securely fronted API, and the questions clients ask us most often when scoping an API penetration test.

What We See in Our Assessments

Across recent API engagements, a small number of issue types make up most of what we report:

~45%

of critical API findings are Broken Object Level Authorization (API1)

~1 in 2

APIs we test have no per-account rate limiting on sensitive endpoints

~30%

have at least one undocumented "shadow" endpoint discovered during testing

~20%

return excessive data fields not used by the client (API3)

Figures are directional, based on patterns observed across CipherTrivia's recent API security engagements.

What's Inside

1. The OWASP API Security Top 10: What We Test & How We Fix It

API1: Broken Object Level Authorization

The single most common API finding: an endpoint trusts an object ID in the request path or body without verifying the caller actually owns that object.

What we test: for every endpoint that takes an ID, we substitute IDs belonging to a different test account and check whether the response leaks or modifies that account's data.

How teams fix it: resolve the "current user" from the authenticated session, and scope every database query to that user or tenant; never trust an ID from the request alone.

API2: Broken Authentication

Weak or misconfigured authentication: missing token expiry, predictable API keys, or endpoints that accept expired or unsigned tokens.

What we test: we test token expiry enforcement, signature validation (including algorithm-confusion attacks on JWTs), and whether password-reset or API-key issuance flows can be abused.

How teams fix it: use short-lived, signed tokens validated with a fixed algorithm and key, rotate API keys on a schedule, and apply the same brute-force protections to API auth as you would a login form.

API3: Broken Object Property Level Authorization

Endpoints that return or accept more fields than the client should see or modify, exposing internal flags, other users' data, or allowing privilege escalation via mass assignment.

What we test: we compare full API responses against what the UI actually displays, and attempt to set sensitive fields (e.g. role, isAdmin, accountBalance) on update requests.

How teams fix it: use explicit response and request schemas (allow-lists of fields) rather than serializing entire database models, especially for write operations.

API4: Unrestricted Resource Consumption

No limits on request size, pagination, or computation cost per request, which lets a single client exhaust resources or run up backend costs.

What we test: we send oversized payloads, request unbounded pagination (e.g. ?limit=999999), and test for missing limits on expensive operations like search, export or report generation.

How teams fix it: enforce per-account and per-IP rate limits, cap pagination size, and apply request size limits at the gateway layer.

API5: Broken Function Level Authorization

Admin or privileged endpoints reachable by lower-privilege users, often because the check exists in the UI but not the API itself.

What we test: using a low-privilege account's token, we call every admin and internal endpoint we can enumerate, including ones not linked from the standard UI.

How teams fix it: apply role checks centrally (e.g. route-level middleware or policy engine), and write tests that assert a non-admin token is rejected by every admin route.

API6–API10: Business Flow, SSRF, Misconfiguration & Inventory

The remaining categories cover unrestricted access to sensitive business flows (API6), server-side request forgery via webhook or URL-fetching endpoints (API7), security misconfiguration of the API gateway and CORS (API8), improper inventory management (undocumented or deprecated API versions left reachable, API9), and unsafe consumption of third-party APIs (API10).

What we test: we enumerate API versions and hostnames from DNS, JS bundles and documentation to find "shadow" or deprecated APIs still in production, and test any outbound-fetch features for SSRF.

How teams fix it: maintain a single source of truth for all live API versions, retire deprecated versions rather than leaving them reachable, and apply the same authz and validation rules to data received from third-party APIs as you would user input.

2. A Securely Fronted API Architecture

This is the API architecture shape we recommend when clients ask "where should these controls actually live?" It's a single API gateway in front of all services, with authentication, rate limiting and schema validation enforced before a request ever reaches business logic.

Diagram of a secure API architecture showing clients, an API gateway with authentication, rate limiting and schema validation, internal microservices each with object-level authorization checks, a shared identity provider, and centralized logging feeding a SIEM
Figure 1: Reference API architecture, showing a single enforcement point for authentication, rate limiting and schema validation in front of internal services.

Key controls shown in the diagram, and the risks they address:

  • API gateway: single point for authentication, per-account rate limiting and request size limits (API2, API4).
  • Schema validation at the edge: rejects malformed or over-sized payloads before they reach services (API3, API4).
  • Shared identity provider: issues short-lived signed tokens validated consistently across all services (API2).
  • Per-service object-level authorization: every service independently re-checks ownership of the resource it's serving (API1, API5).
  • API inventory / version registry: tracks every live route and version so nothing becomes a forgotten shadow endpoint (API9).
  • Centralized logging to SIEM: request-level logs across the gateway and services, with alerting on abuse patterns (A09-style coverage).

3. Quick Self-Check Checklist

This is the checklist our team runs through before scoping an API penetration test. Any "no" is worth investigating.

  • Does every endpoint that accepts an object ID re-verify the caller owns that object server-side?

  • Are access and refresh tokens short-lived, signed, and validated with a fixed algorithm?

  • Do write endpoints use an explicit allow-list of fields rather than accepting an entire object?

  • Is there per-account rate limiting on authentication, search, export and report endpoints?

  • Are admin/internal routes protected by role checks that run independently of the UI?

  • Do you maintain a current inventory of every live API version and hostname?

  • Are webhook and URL-fetching features restricted from reaching internal IP ranges and cloud metadata endpoints?

  • Is data received from third-party APIs validated and authorization-checked like any other user input?

4. Frequently Asked Questions

How is API penetration testing different from a regular web app test?

API testing focuses heavily on authorization logic between accounts and roles, since there's no UI to hide unauthorized actions behind. We typically test with multiple authenticated accounts at different privilege levels in parallel, swapping tokens and IDs between them.

Do you need our API documentation (OpenAPI/Swagger) to test effectively?

It helps speed things up and improves coverage, but it's not required: our team also performs endpoint discovery from client applications, JS bundles and traffic capture to find undocumented routes.

We use GraphQL, not REST. Does this still apply?

Yes, with adjustments. Object and field-level authorization (API1, API3) map directly onto GraphQL resolvers and field permissions, and we additionally test for query depth/complexity abuse (a GraphQL-specific form of API4) and introspection exposure in production.

How long does an API penetration test typically take?

For a single API with 20-40 endpoints and 2-3 user roles, most CipherTrivia engagements run 1-2 weeks, including a retest pass after fixes are deployed.

5. Who Should Read This

This guide is for backend and platform engineers, API product owners, and security leads who are designing, exposing or auditing REST or GraphQL APIs, whether for internal microservices, mobile apps, or partner integrations.

KI

Karthik Iyer

Application & API Security Engineer, CipherTrivia · AWS Security Specialty

Karthik focuses on API and cloud-native application security at CipherTrivia, with a background in backend engineering before moving into security testing. He works closely with client platform teams to fix authorization issues at the architecture level, not just patch individual endpoints.

Want your APIs tested against this list?

Our team can run a focused API security assessment. See our security services for what's included.

Schedule a Meet