API Security → All API Security articles
A "proper" REST API returns the links telling the client what it can do next. That is HATEOAS, and it quietly turns the response i…
Hitting a GraphQL endpoint is a different job to testing REST — no routes to enumerate, just one URL and a type system hiding behi…
API documentation covers the happy path. Fuzzing covers the rest — the undocumented admin routes, hidden parameters that flip beha…
Webhooks are event callbacks over HTTP — and every one is an unauthenticated POST that a bad actor can forge, replay, or point at …
The gateway in front of your APIs — Kong, AWS API Gateway, Apigee, NGINX, Envoy — is a security control and an attack surface at o…
OWASP API #10 — the risk that flows the other way. Your service trusts the third-party and upstream APIs it calls as if their resp…
the one where every request is individually legitimate, but the pattern across them is the attack. Scalping, fake-account farms, r…
Postman, Insomnia, Bruno — the same tools API devs live in every day, turned into security-testing rigs. Collection import from Op…
API keys, Basic auth, Bearer tokens (opaque vs JWT), HMAC request signing, mutual TLS, refresh-token rotation, scoped permissions …