An utility programming interface allows software program purposes to work together with one another by controlling how requests are made and dealt with. Due to the rise of cloud computing and a shift from monolithic purposes to microservices, utility programming interfaces are a pivotal component in immediately’s digital world.
There are possible hundreds of thousands of public APIs in use by builders and organizations across the globe. 1000’s upon hundreds of public APIs can be found in on-line collections and repositories akin to GitHub, publicapis.io and Postman.
In a 2024 Postman survey of over 5,000 builders, 74% of respondents (versus 66% in 2023), mentioned they’re API-first, that means they appear to construct and combine utility companies which can be open and closely API-dependent. The identical survey additionally discovered that the common utility makes use of between 26 and 50 APIs.
APIs are the spine of most trendy purposes, and their profitable execution is important to many organizations’ income and progress. Due to this fact, API safety is paramount to trendy data and utility safety methods.
What’s API safety?
API safety refers back to the safety of APIs from cyberthreats, unauthorized entry and knowledge breaches. APIs bridge totally different software program purposes, enabling seamless communication and integration. As organizations more and more depend on APIs for cloud companies, cellular purposes and IoT units, securing them turns into vital to forestall knowledge leaks, unauthorized transactions and enterprise disruptions.
API safety goals to make sure API requests are authenticated, licensed, validated, cleansed and might nonetheless be processed when the service is beneath load. A contemporary utility or service has quite a few API endpoints that use totally different protocols and request codecs, so the traits of API safety differ from these of normal internet servers, which solely want to guard just a few customary ports and requests.
API safety comes from the next:
- Community safety, identification and entry administration controls.
- Successfully coded APIs that deal with and drop invalid and malicious incoming requests to keep up the confidentiality, availability and integrity of the information and assets the APIs expose.
Why API safety is essential
As extra companies allow entry to knowledge and companies via APIs, these vectors current a horny goal for knowledge theft and software program assaults as a result of a number of components:
- APIs usually deal with delicate knowledge akin to private data, monetary transactions and healthcare information. A compromised API can expose this knowledge to attackers, resulting in compliance violations, reputational injury and monetary losses.
- Menace actors exploit API vulnerabilities via assaults together with damaged authentication, injection assaults, extreme knowledge publicity and improper price limiting. With out ample safety controls and testing, attackers can doubtlessly manipulate API endpoints, acquire unauthorized entry, or disrupt vital enterprise operations via denial-of-service (DoS) and different assaults.
- API sprawl — when a company’s use of APIs outstrips efforts to handle them successfully — creates knowledge conflicts, extreme useful resource use and (particularly with public APIs) use of requirements and protocols past the group’s purview.
Surveys of organizations worldwide underscore the scope and seriousness of the issue.
In a 2025 survey, Traceable discovered that 57% of organizations reported no less than one knowledge breach associated to API abuse within the earlier two years, and solely 38% had been testing their APIs usually for safety vulnerabilities. And in a separate survey in 2024, Salt Safety discovered that API use elevated 167% from the earlier yr and 95% of respondents skilled safety challenges in manufacturing APIs.
API safety and AI
Whereas there’s fairly a little bit of chatter within the trade about instruments akin to generative AI (GenAI) inflicting extra API safety danger, it stays to be seen. Any knowledge enter or output utilizing AI instruments and companies needs to be rigorously reviewed for accuracy and potential AI-specific dangers, akin to knowledge tampering. So far, nevertheless, this has not proved to be an AI-specific situation.
API safety finest practices
The next 13 finest practices can assist increase and elevate the safety of a company’s APIs:
1. Authenticate and authorize
To manage entry to API assets, you have to rigorously and comprehensively establish all associated customers and units. This usually requires client-side purposes to incorporate a token within the API name in order that the service can validate the consumer.
Use requirements akin to OAuth 2.0, OpenID Join and JSON Net Tokens to authenticate API visitors and to outline entry management guidelines or grant varieties that decide which customers, teams and roles can entry particular API assets. Particular API keys can be used securely, notably for machine-to-machine interactions.
All the time comply with the precept of least privilege (POLP). If a person simply must learn a weblog or submit a remark, assign solely these permissions.
2. Implement entry management
Organizations that wish to allow third events to entry inner knowledge and techniques via APIs should introduce and check controls to handle that entry: who, what and when, in addition to checks on knowledge entry, creation, replace and deletion — reflecting the zero-trust safety mannequin. Many organizations may require some mixture of role-based entry management (RBAC) and attribute-based entry management (ABAC).
Effectively-designed APIs also can apply price limits and geo-velocity checks and act as an enforcement level for insurance policies akin to geo-fencing and I/O content material validation and sanitization. Geo-velocity checks present context-based authentication by figuring out entry primarily based on the velocity of journey required between the earlier and present login makes an attempt.
All these checks are utilized by middleware code that is a part of the API utility. Middleware handles requests earlier than passing them on to be fulfilled.
3. Encrypt requests and responses
All community visitors needs to be encrypted — notably API requests and responses, as they will possible comprise delicate credentials and knowledge. All APIs ought to require HTTPS, ideally with TLS 1.2 or above (mutual TLS, or mTLS, can be widespread for API-to-API communication). Enabling HTTP Strict Transport Safety the place potential is best than redirecting HTTP visitors to HTTPS, as API shoppers won’t behave as anticipated.
4. Validate the information
By no means assume API knowledge has been sanitized or validated appropriately. Implement your personal knowledge cleansing and validation routines on the server aspect to forestall customary injection flaws and cross-site request forgery assaults, and use parameterized queries and ready statements in database queries. Debugging instruments akin to Postman and Chrome DevTools can assist look at the API’s knowledge movement and monitor errors and anomalies.
5. Assess your API dangers
One other essential API safety finest apply is to carry out a danger evaluation for all APIs in your current registry. Set up measures to make sure they meet safety insurance policies and are usually not weak to recognized dangers. The Open Worldwide Utility Safety Challenge (OWASP) “API Safety High 10” vulnerabilities checklist is an efficient useful resource for conserving tabs on current assaults and malicious software program.
A danger evaluation ought to establish all techniques and knowledge affected if an API is compromised after which define a remedy plan and the controls required to scale back dangers to a suitable degree.
Doc assessment dates and repeat assessments each time new threats come up, or the API is modified. Ideally, assessment this documentation previous to any subsequent code adjustments to make sure safety and data-handling necessities aren’t compromised.
6. Share solely essential data
API responses usually embody a whole knowledge document fairly than simply the related fields, counting on the consumer utility to filter what a person sees. That is lazy programming, and it not solely slows response instances but additionally gives attackers with further details about the API and the assets it accesses.
Responses ought to comprise the minimal data essential to satisfy a request. For instance, if an worker’s age is requested, the date of delivery should not be returned as effectively.
7. Select your internet companies API
There are three dominant choices to entry internet companies via APIs: SOAP, a communications protocol; REST API or RESTful API, a set of architectural rules for knowledge transmission; and GraphQL, a question language and runtime for APIs that permits shoppers to request precisely the information they want. They use totally different codecs and semantics and require totally different methods to make sure efficient safety.
SOAP. SOAP safety is utilized on the message degree utilizing digital signatures and encrypted elements throughout the XML message itself. REST depends closely on entry management guidelines related to the API’s common useful resource identifier, akin to HTTP tags and the URL path.
Use SOAP in case your major considerations are standardization and safety. Whereas each choices assist Safe Sockets Layer/Transport Layer Safety (SSL/TLS), SOAP additionally helps Net Companies Safety, identification verification via intermediaries fairly than simply point-to-point verification offered by SSL/TLS, and built-in error dealing with. Nevertheless, SOAP exposes parts of utility logic as companies fairly than knowledge, which might make SOAP complicated to implement and may require an utility to be refactored.
REST. REST, in the meantime, is suitable with numerous knowledge output varieties — together with JSON, comma-separated values and HTTP — whereas SOAP can solely deal with XML and HTTP. As well as, REST merely accesses knowledge, so it is a less complicated technique to entry internet companies. For these causes, organizations usually want REST for internet improvement tasks. Nevertheless, safety should be inbuilt for knowledge exchanges, deployment and consumer interactions.
GraphQL. GraphQL is gaining momentum for internet companies and APIs, notably for purposes that require excessive flexibility, effectivity and sophisticated knowledge request fashions. GraphQL is effectively suited to the next:
- Entrance-end API queries that permit builders to solely request particular knowledge and not using a want to switch back-end knowledge units or parts.
- Apps with totally different shoppers — internet, cellular and third-party companions — that may request custom-made knowledge from the identical API with out separate endpoints.
Nevertheless, GraphQL permits for nearly infinite nesting of queries, which might result in DoS eventualities. It is usually prone to damaged object-level authorization (BOLA) assaults as a result of it exposes a single endpoint (/graphql), making it straightforward to miss authorization checks on the object or subject degree.
8. Report APIs in an API registry
No one can safe what they do not know. It is subsequently important to document all APIs in a registry to outline traits akin to its identify, goal, payload, utilization, entry, dwell date, retired date and proprietor. This can keep away from shadow or silo APIs which were forgotten, by no means documented or developed exterior of a important venture, presumably via mergers, acquisitions or check or deprecated variations.
Report particulars of the knowledge to be logged, akin to who, what and when. This can assist meet compliance and audit necessities and help forensic evaluation within the occasion of a safety incident.
Good documentation is especially essential for third-party builders wishing to include these APIs into their tasks. The API registry ought to embody hyperlinks to the doc or guide that accommodates all technical API necessities, together with capabilities, lessons, return varieties, arguments and integration processes.
9. Conduct common safety assessments
Along with totally testing APIs throughout improvement, safety groups should usually test the safety controls that defend dwell APIs to make sure they’re functioning as anticipated and behaving as documented. Ideally, API safety testing is complete and steady to handle vulnerability discovery and remediation.
Incident response groups ought to create a plan for dealing with alerts produced by risk detection and different safety controls that point out an API assault.
10. Stash your API keys
API keys establish and confirm entry for the appliance or web site that calls an API. They’ll additionally block or throttle calls made to an API and establish utilization patterns.
API keys are much less safe than authentication tokens and require cautious administration. To forestall unintended publicity, keep away from embedding API keys immediately of their code or in information throughout the utility’s supply tree. As a substitute, retailer them in setting variables or in information exterior of the appliance’s supply tree. Higher nonetheless, use a secrets and techniques administration service that protects and manages an utility’s API keys.
Even with these measures in place, all the time delete unneeded keys to attenuate publicity to assault and periodically regenerate keys — notably if a breach is suspected.
11. Add AI to API monitoring and risk detection
AI-enabled conduct evaluation can considerably enhance general API safety. It benchmarks common API visitors and gives visibility into how customers entry and devour APIs, which can assist builders fine-tune threshold settings for context safety checks. Menace detection instruments can use this data to search for anomalous conduct to flag or to cease misuse or a possible assault.
Attackers probe an API repeatedly to search out vulnerabilities or logic they will exploit, so real-time monitoring is important for assault detection and response. This strategy requires no predefined insurance policies, guidelines or assault signatures, so it reduces the necessity for fixed updates to cease new and evolving assaults.
12. Perceive the total scope of safe API consumption
API safety additionally covers the third-party APIs it consumes. Earlier than constructing an utility or service that handles third-party knowledge utilizing APIs, it’s a necessity to grasp how they work and learn how to combine them totally.
Learn API documentation totally, listening to the method and safety facets of the API’s perform and routines, akin to required authentication, name processes, knowledge codecs and any potential error messages to count on. strategy is to construct a risk mannequin to assist perceive the assault floor, establish potential safety points and incorporate applicable safety mitigations on the outset.
APIs create numerous alternatives for organizations to enhance and ship companies, interact prospects and improve productiveness and income — however provided that they’re securely carried out.
For extra data on API safety finest practices, comply with these examples of API documentation finest practices and be taught the significance of an API versioning technique.
13. Implement API safety gateways and instruments
Hold APIs behind a firewall, internet utility firewall or API gateway — accessed via a safe protocol, akin to HTTPS — to supply baseline safety, akin to scanning for signature-based threats and injection-based assaults.
Lately, a brand new class of safety platforms has emerged, often known as Net Utility and API Safety (WAAP). This combines internet utility firewall (WAF), runtime utility self-protection (RASP), API and microservice safety and bot safety, amongst different capabilities.
Commonest API safety dangers
Organizations ought to deal with the next API safety dangers throughout improvement and each time an API is up to date:
- Damaged object-level authorization. BOLA happens when a request can entry or modify knowledge the requestor should not have entry to, akin to the flexibility to entry one other person’s account by tampering with an identifier within the request.
- Damaged function-level authorization. This arises when POLP is not carried out, usually as a result of overly complicated entry management insurance policies. It leads to an attacker with the ability to execute delicate instructions or entry endpoints supposed for privileged accounts.
- Damaged person authentication. Like BOLA, if the authentication course of is compromised, an attacker can impersonate one other person on a one-time and even everlasting foundation.
- Extreme knowledge publicity. API responses to a request usually return extra knowledge than is related or essential. Regardless that the information won’t be seen to customers, it may be simply examined and may result in a possible publicity of delicate data.
- Improper asset and configuration administration. API improvement and deployment are normally fast-paced, and thorough documentation is commonly omitted within the rush to launch new or up to date APIs. This results in uncovered, deprecated and/or shadow endpoints. It additionally contributes to a weak understanding of how older APIs work and must be carried out or maintained. Poor configuration of APIs and associated parts and companies may additionally result in pointless publicity or uncovered vulnerabilities.
- Lack of price limiting and potential useful resource exhaustion. API endpoints are normally open to the web and, if there are not any restrictions on the quantity or dimension of requests, are open to DoS and brute-force assaults.
- Injection flaws. If request knowledge is not parsed and validated appropriately, an attacker can doubtlessly launch a command or SQL injection assault to entry it or execute malicious instructions with out authorization.
- Mass project. Software program improvement frameworks usually present the performance to insert all the information acquired from a web based type right into a database or object with only one line of code — often known as mass project — to take away the necessity to write repetitive traces of form-mapping code. If that is executed with out specifying what knowledge is suitable, it opens quite a lot of assault vectors.
- Inadequate logging and monitoring. Many API and utility implementations lack efficient logging and monitoring, which ends up in safety “blind spots” for safety and utility improvement groups when APIs are attacked.
Editor’s notice: Michael Cobb initially wrote this text in 2021, and Dave Shackleford expanded it in 2025 so as to add data and enhance the reader expertise.
Michael Cobb, CISSP-ISSAP, is a famend safety writer with greater than 20 years of expertise within the IT trade.
Dave Shackleford is founder and principal advisor at Voodoo Safety, in addition to a SANS analyst, teacher and course writer, and GIAC technical director.
