โ Preventing vulnerabilities in APIs
When designing APIs, make sure that security is a consideration from the beginning. In particular, make sure that you:
Secure your documentation if you don't intend your API to be publicly accessible.
Ensure your documentation is kept up to date so that legitimate testers have full visibility of the API's attack surface.
Apply an allowlist of permitted HTTP methods.
Validate that the content type is expected for each request or response.
Use generic error messages to avoid giving away information that may be useful for an attacker.
Use protective measures on all versions of your API, not just the current production version.
To prevent mass assignment vulnerabilities, allowlist the properties that can be updated by the user, and blocklist sensitive properties that shouldn't be updated by the user.
Last updated