The OWASP API Security Top 10
OWASP maintains a list of the top 10 API security risks. Broken object level authorisation (BOLA) tops the list — it occurs when an API exposes data objects without verifying that the requesting user is authorised to access them.
Authentication vs Authorisation
Authentication verifies who the user is. Authorisation determines what they are allowed to do. Both are required and distinct. Use JWT for stateless authentication. Implement role-based access control (RBAC) for authorisation. Never rely on client-supplied user IDs for data access.
Rate Limiting
Rate limiting prevents abuse and protects server resources. Implement it at the API gateway or middleware level. Return 429 Too Many Requests with a Retry-After header when limits are exceeded. Use sliding window algorithms for fairness.
Input Validation
Validate and sanitise all input on the server. Check data type, length, format, and range. Reject requests with unexpected fields. Use parameterised queries for all database operations to prevent SQL injection. Never eval() or execute user-supplied strings.
