Back to Guides

    API Security Checklist For Production Readiness

    A practical API security checklist for engineering teams. Use it to review authentication, rate limiting, object-level authorization, SSRF protections, schema validation, and logging before release.

    How To Use This Checklist

    Most API security failures are not caused by one dramatic mistake. They usually come from small missing controls across authentication, authorization, validation, and observability.

    This checklist is designed to be skimmed by developers, security engineers, and reviewers before a release. If you cannot answer these checks clearly, you probably need more hardening before production.

    Coverage

    Identity, access control, input validation, and detection.

    Best for

    Pre-release reviews, architecture check-ins, and handoff audits.

    Goal

    Catch missing controls before they become production issues.

    Authentication

    Authentication is the first control that separates anonymous traffic from trusted callers. If identity is weak, every downstream authorization and audit decision is unreliable.

    What to verify
    • Use short-lived tokens or strongly managed API keys.
    • Rotate credentials and revoke compromised sessions quickly.
    • Store refresh tokens or long-lived secrets in secure server-side or HttpOnly storage.
    • Validate issuer, audience, expiry, and signature on every request.
    Common mistakes
    • Treating possession of a token as proof of full trust.
    • Allowing long-lived bearer tokens with no revocation story.
    • Skipping signature or audience checks in internal environments.

    Rate Limiting

    Rate limits protect both availability and business workflows. They reduce brute force attempts, abusive automation, and noisy retries before they become incidents.

    What to verify
    • Apply limits per user, token, IP, and sensitive workflow where appropriate.
    • Protect login, password reset, search, and payment-related endpoints separately.
    • Return predictable status codes and retry guidance.
    • Monitor for bursts that stay under global limits but abuse one business flow.
    Common mistakes
    • Using one global limit for every route.
    • Ignoring expensive read operations and batch endpoints.
    • Forgetting background jobs and partner integrations when designing policies.

    Object-Level Authorization

    Most high-impact API breaches happen after login, when a caller can access the wrong record by changing an ID, tenant value, or relationship key.

    What to verify
    • Check access every time an object is read, updated, or deleted.
    • Bind database lookups to caller identity and tenant context.
    • Test cross-tenant IDs, sequential IDs, and stale object references.
    • Apply the same checks to exports, downloads, and background actions.
    Common mistakes
    • Checking authentication but not ownership.
    • Authorizing at the route level only.
    • Assuming frontend filtering prevents server-side object abuse.

    SSRF Protections

    Endpoints that fetch remote URLs can be turned into a bridge to internal services, metadata endpoints, and cloud management interfaces.

    What to verify
    • Use allowlists for outbound destinations whenever possible.
    • Block link-local, loopback, RFC1918, and metadata IP ranges.
    • Resolve and validate hostnames after redirects, not just before the first request.
    • Separate outbound fetch workers from sensitive internal networks.
    Common mistakes
    • Validating only the string form of a URL.
    • Following redirects without re-checking the destination.
    • Running fetch-capable services with broad internal network access.

    Schema Validation

    Strict request and response schemas reduce mass assignment, parser confusion, and hidden attack surface. They also keep your API definition aligned with reality.

    What to verify
    • Reject unknown fields on sensitive endpoints.
    • Validate nested payloads, enums, lengths, formats, and required fields.
    • Enforce response schemas for fields that must never leak.
    • Keep OpenAPI definitions and runtime validation in sync.
    Common mistakes
    • Accepting extra JSON properties by default.
    • Trusting upstream services to validate inputs for you.
    • Treating schema validation as documentation only.

    Logging And Monitoring

    Detection closes the gap between prevention and response. Good API telemetry shows who did what, to which object, from where, and whether the pattern is normal.

    What to verify
    • Log actor, route, method, tenant, object reference, and decision outcome.
    • Alert on repeated authorization failures, token misuse, and unusual access volume.
    • Redact secrets, tokens, and sensitive payload fields before storage.
    • Correlate findings across gateway, application, and runtime monitoring layers.
    Common mistakes
    • Logging too little to investigate incidents.
    • Logging full secrets or personal data.
    • Looking only at infrastructure metrics and ignoring API behavior patterns.

    Minimum Baseline Before Production

    Release only when you can confirm:

    • Every protected route has strong authentication.
    • High-risk workflows have explicit rate limits.
    • Object ownership and tenant checks are enforced server-side.
    • Outbound fetches cannot reach internal or cloud metadata services.
    • Strict request validation is active for sensitive endpoints.
    • Audit logs are useful for investigation without leaking secrets.

    Treat these as unresolved risk signals:

    • Auth logic differs across services or environments.
    • Business-critical routes rely on frontend checks.
    • Specs and runtime behavior no longer match.
    • Monitoring exists, but no one can explain what abnormal looks like.
    • Security reviews happen once instead of continuously.