API Security Best Practices: Complete Guide (2026)
Essential security practices to protect your APIs from attacks, unauthorized access, and data breaches.
1. Use HTTPS Everywhere
Always use HTTPS (TLS/SSL) to encrypt data in transit. Never expose APIs over plain HTTP.
# Nginx configuration
server {
listen 443 ssl http2;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
}2. Authentication & Authorization
OAuth 2.0
Use OAuth 2.0 for third-party API access. Don't roll your own authentication.
API Keys
Authorization: Bearer YOUR_API_KEY_HERE- Store API keys securely (never in code)
- Rotate keys regularly
- Use different keys for different environments
JWT Tokens
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...- Short expiration times (15-60 minutes)
- Sign with strong secrets
- Validate signature on every request
3. Rate Limiting
Prevent abuse and DDoS attacks by limiting request rates.
# Express.js example
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // 100 requests per window
});
app.use('/api/', limiter);4. Input Validation
Validate all inputs to prevent injection attacks:
- SQL Injection: Use parameterized queries
- XSS: Sanitize user input
- Command Injection: Never execute user input
// Node.js with Joi validation
const schema = Joi.object({
email: Joi.string().email().required(),
age: Joi.number().integer().min(0).max(120)
});
const { error, value } = schema.validate(req.body);5. CORS Configuration
Configure Cross-Origin Resource Sharing properly:
// Express.js
const cors = require('cors');
app.use(cors({
origin: 'https://yourdomain.com',
methods: ['GET', 'POST'],
credentials: true
}));6. Security Headers
# Add security headers
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'7. API Versioning
Version your APIs to maintain backward compatibility:
https://api.example.com/v1/users
https://api.example.com/v2/users8. Logging & Monitoring
- Log all API requests (but not sensitive data)
- Monitor for suspicious patterns
- Set up alerts for anomalies
- Never log passwords or API keys
9. Secrets Management
- Use environment variables for secrets
- Never commit secrets to Git
- Use secret managers (AWS Secrets Manager, HashiCorp Vault)
- Rotate secrets regularly
10. Error Handling
Don't expose sensitive information in error messages:
// Bad
{ "error": "Database connection failed: [email protected]" }
// Good
{ "error": "Internal server error", "code": 500 }Common API Vulnerabilities
| Vulnerability | Description | Prevention |
|---|---|---|
| Broken Authentication | Weak auth mechanisms | Use OAuth 2.0, strong tokens |
| Excessive Data Exposure | Returning too much data | Return only required fields |
| No Rate Limiting | API abuse/DDoS | Implement rate limiting |
| Injection | SQL/Command injection | Input validation, parameterized queries |
| Improper Assets Management | Old API versions exposed | Deprecate old versions |
Security Checklist
- ✅ HTTPS only (no HTTP)
- ✅ Authentication on all endpoints
- ✅ Authorization checks (role-based access)
- ✅ Rate limiting enabled
- ✅ Input validation on all inputs
- ✅ CORS properly configured
- ✅ Security headers added
- ✅ Error messages don't leak info
- ✅ Secrets stored securely
- ✅ Logging & monitoring active
- ✅ API versioning in place
- ✅ Regular security audits
Tools for API Security
- OWASP ZAP: Security testing tool
- Postman: API testing with security checks
- Burp Suite: Web vulnerability scanner
- Snyk: Dependency vulnerability scanning