Security Intermediate

What is API Security?

Practices and mechanisms for protecting APIs from unauthorized access, data breaches, and abuse.

API security encompasses authentication (verifying identity — API keys, OAuth tokens, JWTs), authorization (verifying permissions — scopes, RBAC), transport security (HTTPS/TLS), input validation (preventing injection), rate limiting (preventing abuse), and monitoring (detecting anomalies). Common vulnerabilities include Broken Object Level Authorization (BOLA — accessing other users' data by changing IDs), excessive data exposure (returning more fields than needed), and mass assignment (accepting unexpected fields). The OWASP API Security Top 10 lists the most critical API risks. Best practices include using short-lived tokens, validating all inputs, implementing proper error handling without leaking details, and logging all API access for audit.

Learn More About This Topic

Cybersecurity Fundamentals

Related reading

Linux Security Auditing

Related reading

Linux Security Hardening

Related reading

Related Terms

DAST (Dynamic Application Security Testing)

Testing a running application from the outside by sending malicious requests to discover security vulnerabilities.

Two-Factor Authentication (2FA)

A security method requiring two different forms of identification before granting access to an account.

PKI (Public Key Infrastructure)

A framework of policies, hardware, and software for creating, managing, distributing, and revoking digital certificates.

Certificate Pinning

A security technique that associates a host with its expected TLS certificate or public key, preventing man-in-the-middle attacks with fraudulent certificates.

Penetration Testing

An authorized simulated cyberattack on a system to evaluate its security defenses and identify vulnerabilities.

Principle of Least Privilege

A security principle where users and programs receive only the minimum access rights needed to perform their specific tasks.

View All Security Terms →