API Security Checklist: 26-Item Guide for REST & GraphQL

TL;DR

This 26-item checklist covers the most critical security issues in REST and GraphQL APIs: authentication, authorization, input validation, rate limiting, and CORS configuration. 8 critical items must be fixed before launch, 15 important items within the first week, and 3 recommended items when you can.

Quick Checklist (5 Critical Items)

Verify tokens on all protected endpointsEvery protected endpoint must check JWT, session, or API key

Validate tokens server-sideVerify signature, expiration, and issuer on backend

Verify resource ownershipUsers can only access/modify their own resources

No IDOR vulnerabilitiesChanging IDs in requests should not expose other users' data

Validate all input server-sideNever trust client-side validation alone

Authentication 4

All protected endpoints verify tokensCheck JWT, session cookie, or API key on every request. How to verify API tokens

Tokens validated server-sideVerify signature, expiration, and issuer on backend. How to validate JWT tokens

Tokens sent securelyUse Authorization header, not URL parameters. How to send tokens securely

Token expiration appropriateShort-lived access tokens with refresh token rotation. How to configure token expiration

Authorization 4

Resource ownership verifiedUsers can only access/modify their own resources. How to verify resource ownership

Role-based access controlAdmin endpoints check for admin role, etc. How to implement RBAC

No IDOR vulnerabilitiesChanging IDs in requests shouldn't give access to other users' data. How to prevent IDOR

Permission checks on every operationCheck permissions on GET, POST, PUT, DELETE - not just one. How to check operation permissions

Input Validation 5

All input validated server-sideNever trust client-side validation. How to validate on server

Type checking enforcedUse Zod, Yup, or similar for schema validation. How to implement schema validation

String lengths limitedPrevent DoS via oversized inputs. How to limit input sizes

Special characters handledSanitize or escape as needed for context (SQL, HTML, etc.). How to sanitize input

Request body size limitedSet max payload size to prevent large payload attacks. How to limit payload size

Rate Limiting 3

Rate limiting on authentication endpointsLogin, signup, password reset must be rate limited. How to rate limit auth endpoints

General API rate limitingLimit requests per user/IP to prevent abuse. How to implement rate limiting

Rate limit headers returnedX-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset. How to add rate limit headers

CORS Configuration 3

No wildcard (*) in productionSpecify exact allowed origins. How to configure CORS

Credentials mode configured correctlyIf using cookies, set credentials: true and specific origins. How to configure CORS with credentials

Allowed methods restrictedOnly allow methods your API actually uses. How to restrict CORS methods

Error Handling 3

::checklist-item{label="Generic error messages for auth failures" description=""Invalid credentials" not "User not found" or "Wrong password". How to secure error messages"} ::

No stack traces in production errorsReturn friendly errors to users, log details server-side. How to hide stack traces

Consistent error formatUse standard format like { error: { code, message } }. How to standardize API errors

GraphQL Specific 4

Query depth limitingPrevent deeply nested queries that cause DoS. How to limit GraphQL depth

Query complexity analysisLimit total query cost/complexity. How to analyze query complexity

Introspection disabled in productionDisable schema introspection to hide API structure. How to disable introspection

Field-level authorizationCheck permissions on sensitive fields, not just types. How to implement field-level auth

API Security Fundamentals

Every API endpoint should answer four questions: Who is making this request (authentication)? Are they allowed to do this (authorization)? Is the data they sent safe (validation)? Are they making too many requests (rate limiting)?

What is IDOR and how do I prevent it?

IDOR (Insecure Direct Object Reference) occurs when users can access other users' data by changing IDs in requests. Prevent it by always verifying that the authenticated user owns or has permission to access the requested resource before returning or modifying it.

Should I use wildcard CORS in production?

Never use wildcard (*) CORS in production for APIs that handle sensitive data. Specify exact allowed origins. If using cookies for authentication, you must specify origins anyway since credentials mode doesn't work with wildcards.

Why validate input on the server if I validate on the client?

Client-side validation can be bypassed by anyone with browser DevTools or API tools like Postman. It's for user experience, not security. Always validate on the server - that's where security decisions must be made.