Back to Articles
API Security
Updated Sep 9, 2025

API Security Testing Checklist that Catches Real Issues

APIs are the backbone of modern apps. Small oversights turn into data leaks or account takeovers. Use this practical checklist to find the common failures before attackers do.

Authentication and session

  • Enforce strong auth flows (MFA where sensible)
  • Prefer short‑lived access tokens; rotate refresh tokens
  • Use HttpOnly, Secure cookies or Authorization headers over HTTPS
  • Avoid bearer tokens in URLs

Authorization

  • Test IDOR: try accessing resources you don’t own
  • Enforce object‑level checks on every operation
  • Don’t trust client‑supplied identifiers alone

Input and serialization

  • Validate types and bounds strictly
  • Reject unknown fields in JSON bodies
  • Use allowlists for enums and states

Rate limiting and abuse controls

  • Reasonable per‑IP and per‑user rate limits
  • Distinct limits for login, password reset, and expensive endpoints
  • Circuit breakers for bursts and anomalies

Error handling and responses

  • No stack traces or framework leaks
  • Consistent error formats
  • Try avoid revealing internal IDs

Transport and headers

  • Enforce HTTPS everywhere
  • Set CORS precisely; avoid * on credentials flows
  • Set security headers on API responses where relevant

Testing workflow

# Example: probing authz on a REST endpoint
curl -i -H "Authorization: Bearer <token-of-user-A>" https://api.example.com/v1/orders/123

# Then try with a different user token; expect 403 if not owned

GraphQL:

{
  order(id: 123) { id userId total }
}

Ensure resolvers enforce ownership checks, not just schema-level types.

Common pitfalls

  • CORS wide open with credentials
  • Putting secrets in mobile apps or SPA bundles
  • Long‑lived tokens without rotation

Advanced tips

  • Log and alert on authz denials by resource type to discover IDOR attempts
  • Use structured scopes; avoid "god" tokens
  • Threat‑model integrations and webhooks

OWASP API Top 10 alignment (brief)

  • API1: Broken Object Level Authorization (test IDOR on every resource)
  • API2: Broken Authentication (short‑lived tokens, MFA for critical paths)
  • API3: Broken Object Property Level Authorization (reject unknown/extra fields)
  • API4: Unrestricted Resource Consumption (rate limits, timeouts)
  • API5: Broken Function Level Authorization (verify action-level permissions)
  • API6: Unrestricted Access to Sensitive Business Flows (protect important workflows)
  • API7: Server Side Request Forgery (validate outbound calls, allowlists)
  • API8: Security Misconfiguration (disable debug, strict CORS, headers)
  • API9: Improper Inventory Management (document versions, deprecate safely)
  • API10: Unsafe Consumption of APIs (validate third-party data; timeouts/retries)

Pair this with ongoing monitoring from the Web security monitoring guide and deeper testing from the Penetration testing guide.

Conclusion

Work through this checklist regularly and before major releases. Close easy gaps first, then refine limits and scopes.

Run focused checks and watch for regressions in the Barrion dashboard. For a quick look at your public surface, try the Network Security tool.

Frequently asked questions

Q: How do I quickly test for IDOR?

A: Use two accounts. With account A, note a resource ID; with account B, request the same ID. Expect 403 if not owned.

Q: What should my default CORS config be?

A: Avoid *. Set exact origins and avoid credentials unless needed. Treat CORS like a routing control, not an auth feature.

Trusted by IT Professionals

Organizations rely on Barrion to strengthen their security and stay ahead of emerging cyber threats.
Assess your application security today - results in under a minute.

Barrion logo iconBarrion

Barrion delivers automated security scans and real-time monitoring to keep your applications secure.

Services

Quick Links

Company

Contact Us

Have questions or need assistance? Reach out to our team for support.

[email protected]
Send email icon

© 2025 Barrion - All Rights Reserved.