API Security → All API Security articles
A "proper" REST API returns the links telling the client what it can do next. That is HATEOAS, and it quietly turns the response i…
Hitting a GraphQL endpoint is a different job to testing REST — no routes to enumerate, just one URL and a type system hiding behi…
API documentation covers the happy path. Fuzzing covers the rest — the undocumented admin routes, hidden parameters that flip beha…
Webhooks are event callbacks over HTTP — and every one is an unauthenticated POST that a bad actor can forge, replay, or point at …
The gateway in front of your APIs — Kong, AWS API Gateway, Apigee, NGINX, Envoy — is a security control and an attack surface at o…
gRPC feels like a black box — binary protobuf over HTTP/2 — so people assume it is hard to attack. It is not. The wire format is t…
OWASP API #10 — the risk that flows the other way. Your service trusts the third-party and upstream APIs it calls as if their resp…
OWASP API #9 — you cannot defend an API you have forgotten you are running. Zombie versions that were deprecated but never unroute…
OWASP API #8 — the unglamorous bug class that wins more engagements than any clever exploit. Verbose stack traces, Spring Actuator…
any endpoint that fetches a URL (image proxy, link preview, webhook, OEmbed, /import) is a tunnel an attacker can point at your in…