Back
🛡️
REST API Security Hardening Checklist
Hard
16 items
·
2 hours
testuser
Published 1 month ago
This checklist helps engineers and dev teams harden REST APIs against common threats like token abuse, injection, and data leaks. It’s designed for backend developers, security engineers, and devops preparing APIs for production.
Progress
0 / 16
- Define API key rotation and revocation policy — Specify rotation interval, emergency revocation process, and audit logging.
- Rotate API keys and revoke compromised keys — Automate rotation and immediate revocation on compromise; notify clients.
- Implement JWT expiry and refresh token rotation — Use short-lived access tokens and rotate refresh tokens to detect reuse.
- Set short-lived access token lifetimes — Limit access tokens to minutes/hours; avoid long-lived access tokens.
- Rotate refresh tokens on use — Issue a new refresh token on each refresh and invalidate the previous one.
- Enforce HTTPS on all endpoints — Redirect HTTP to HTTPS, enable HSTS, and disable insecure protocols.
- Apply a strict CORS allowlist — Only allow required origins, specific methods, and limit credentials usage.
- Implement rate limiting per endpoint and client — Set different limits for auth, search, and heavy endpoints; include bursts and quotas.
- Validate all inputs and enforce JSON schema — Validate body, query, and path params; reject unexpected or extra fields.
- Prevent SQL injection with parameterized queries or ORM — Use prepared statements or ORM query builders; never concatenate SQL with user data.
- Return minimal data and avoid leaking sensitive fields — Remove internal IDs, secrets, tokens, and PII from API responses.
- Verify JWT signatures and validate claims — Check signature, issuer, audience, expiry, and token revocation lists.
- Enforce least-privilege access and scoped tokens — Use RBAC/ABAC and limit token scopes to required actions.
- Log, monitor, and alert on suspicious activity — Track auth failures, token reuse, spikes, and set actionable alerts.
- Run regular security scans and penetration tests — Schedule SAST/DAST scans and periodic pentests focused on auth and injection paths.
- Rotate signing keys (JWKS) with zero-downtime — Publish JWKS with kid, support key rollover, and keep old keys for validation window.
Your Stats
🏆
0
Completed
📅
—
Last Done
⏱️
—
Last Time
Completion Rate
Items checked per run
⚡
—
Fastest Run
🔥
0
Streak
🚫
—
Most Skipped Step
🔄
0
Resets
📝 My Notes