API Security → All API Security articles
gRPC feels like a black box — binary protobuf over HTTP/2 — so people assume it is hard to attack. It is not. The wire format is t…
OWASP API #9 — you cannot defend an API you have forgotten you are running. Zombie versions that were deprecated but never unroute…
OWASP API #8 — the unglamorous bug class that wins more engagements than any clever exploit. Verbose stack traces, Spring Actuator…
any endpoint that fetches a URL (image proxy, link preview, webhook, OEmbed, /import) is a tunnel an attacker can point at your in…
a non-admin reaches admin-only routes because authorisation was bolted on per-handler instead of built into the architecture. Verb…
one request, thousands of actions. Rate-limit bypass via header rotation, ?limit=1000000 melting the DB, bulk endpoints fanning ou…
the server copies every key from req.body straight onto the model, so PUT /users/me with {role:"admin"} is instant privilege escal…
all the ways the "who are you" half of auth quietly breaks in production: credential stuffing, missing rate limits, broken passwor…
the server checks who you are but never checks whether the object you asked for is actually yours. Id-flips, the UUID myth, nested…
A query language that turns the API surface inside out — the client picks the shape of every response. The resolver model, schema …