API Security (expanded)74 items

API Security (expanded)74 items
Jump to diagrams:
API Security → OAuth Scope Restriction

Tags: OAuth, OIDC, Least Privilege

Question: Are OAuth access tokens issued with minimum necessary scopes/audiences per client and API resource?

Applicable Requirements:
- NIST 800-53: AC-6, IA-2(1), SC-23
- ISO 27001: A.9.4.1, A.14.1.2
- SOC 2: CC6.1, CC6.2
- OWASP API Top 10: API5, API6

Applicability: Any API using OAuth 2.0/OIDC (SaaS or custom).

Expected Result: Short-lived tokens (≤ 1h), least-privilege scopes, correct 'aud'. Refresh tokens rotated/bounded (≤ 30d).

Why It Matters: Overscoped/long-lived tokens increase blast radius and replay risk.

Technical Breakdown:

  1. Define per-resource scopes; avoid wildcards.
  2. Authorizer validates 'scope' and 'aud' every request.
  3. Use PKCE for public clients; revoke on compromise.

Example Config / Command:

# JWT scope/aud check (pseudo)
assert 'read:reports' in claims['scope'].split()
assert claims['aud'] == 'https://api.example.com'
Deep Dive
API Security → mTLS Between Services

Tags: mTLS, Service Mesh, Zero Trust

Question: Is mutual TLS enforced for service-to-service calls, with automated certificate rotation?

Applicable Requirements:
- NIST 800-53: SC-8, SC-12, SC-13
- ISO 27001: A.13.2.3
- SOC 2: CC6.6

Applicability: Microservices/internal APIs (K8s/service mesh).

Expected Result: STRICT mTLS at gateway/sidecar; cert rotation ≤ 90d; private CA; SAN/SPIFEE validated.

Why It Matters: Prevents impersonation and on-path attack on east-west traffic.

Technical Breakdown:

  1. Adopt Istio/Linkerd or gateway mTLS policies.
  2. Use SPIFFE/SPIRE identity issuance; auto-rotate.
  3. Pin expected SAN/SPIFFE per policy.

Example Config / Command:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
spec:
  mtls:
    mode: STRICT
Deep Dive
API Security → Rate Limiting & Abuse Controls

Tags: DoS, Bots, Quotas

Question: Do you enforce per-user/IP/token rate limits with adaptive throttling and circuit breakers?

Applicable Requirements:
- NIST 800-53: SI-4, SC-5
- ISO 27001: A.12.1.3
- SOC 2: CC7.1
- OWASP API Top 10: API4

Applicability: Public/partner APIs; auth and costly operations.

Expected Result: Layered limits; 429 w/ Retry-After; WAF bot mitigation; anomaly alerts.

Why It Matters: Mitigates brute force, credential stuffing, and resource exhaustion.

Technical Breakdown:

  1. Define per-plan quotas; stricter for /auth/* and writes.
  2. Sliding windows + bursts; SIEM alerts on abuse.
  3. Backoff clients; block abusive tokens.

Example Config / Command:

# Kong rate limit (declarative)
plugins:
- name: rate-limiting
  config: { minute: 100, policy: redis }
Deep Dive
API Security → Schema & Payload Validation

Tags: OpenAPI, Validation

Question: Are bodies validated against versioned schemas with strict types and bounds?

Applicable Requirements:
- NIST 800-53: SI-10, SA-11
- ISO 27001: A.14.2.5
- SOC 2: CC7.2
- OWASP API Top 10: API8

Applicability: All JSON/XML/GraphQL APIs.

Expected Result: Validation at gateway/service; reject unknown fields; max size; numeric bounds; enum allowlists.

Why It Matters: Prevents injection, mass assignment, deserialization attacks.

Technical Breakdown:

  1. Use JSON Schema/Protobuf; deep validation pre-routing.
  2. additionalProperties=false; size cap ≤ 1MB.
  3. Sanitize outputs; avoid reflecting untrusted input.

Example Config / Command:

components:
  schemas:
    CreateUser:
      type: object
      additionalProperties: false
      properties:
        email: { type: string, format: email }
        role:  { type: string, enum: [user, admin] }
      required: [email]
Deep Dive
API Security → BOLA/BFLA Authorization

Tags: IDOR, AuthZ, Multi-tenant

Question: Do you enforce object/function-level authorization on every call (server-side)?

Applicable Requirements:
- NIST 800-53: AC-3, AC-6
- ISO 27001: A.9.1.2, A.9.4.1
- SOC 2: CC6.6
- OWASP API Top 10: API1, API5

Applicability: Multi-tenant APIs and any resource with ownership.

Expected Result: Per-request ABAC/RBAC; deny cross-tenant even with valid IDs; decision logs.

Why It Matters: Blocks IDOR/BOLA data leaks and privilege escalation.

Technical Breakdown:

  1. Resolve owner/tenant server-side; never trust client IDs.
  2. OPA/Cedar policies with unit tests; deny by default.
  3. Log failed authZ decisions to SIEM.
Deep Dive
API Security → Secrets Handling

Tags: Secrets, Rotation, CI/CD

Question: Are secrets avoided in URLs and stored only in secrets managers with rotation?

Applicable Requirements:
- NIST 800-53: IA-5, SC-12
- ISO 27001: A.10.1, A.9.2.4
- SOC 2: CC6.1
- CIS Controls: 3.6

Applicability: API clients/backends; CI/CD pipelines.

Expected Result: No secrets in GET params/logs; use Secrets Manager/Key Vault/OCI Vault; rotate ≤ 90d.

Why It Matters: URL logging leaks secrets; static keys fuel takeover.

Technical Breakdown:

  1. Use Authorization headers; redact secrets in telemetry.
  2. Automate rotation; scope secrets per environment.
  3. Prefer OAuth/OIDC or signed requests.
Deep Dive
API Security → CORS & CSRF

Tags: CORS, CSRF, Headers

Question: Is CORS a per-origin allowlist and CSRF mitigated for credentialed requests?

Applicable Requirements:
- NIST 800-53: SC-23
- ISO 27001: A.14.1.2
- SOC 2: CC6.6

Applicability: Browser-based clients (SPA+API).

Expected Result: No '*' with credentials; SameSite=strict or CSRF tokens; strict Referer/Origin checks.

Why It Matters: Prevents origin confusion and CSRF.

Technical Breakdown:

  1. Return Vary: Origin; bind CSRF token to session.
  2. Prefer token auth instead of cookie auth for APIs.
  3. Audit allowed origins regularly.
Deep Dive
API Security → GraphQL Limits

Tags: GraphQL, Abuse Prevention

Question: Are GraphQL queries restricted by depth/complexity with introspection off in production?

Applicable Requirements:
- NIST 800-53: SI-4, SC-5
- SOC 2: CC7.1

Applicability: GraphQL endpoints.

Expected Result: Max depth/complexity; enforced pagination; introspection off; op-type rate limits.

Why It Matters: Prevents expensive queries and scraping via query shaping.

Technical Breakdown:

  1. Add query cost analyzers; block wildcard nesting.
  2. Log abnormal queries to SIEM; federated boundary checks.
Deep Dive
API Security → SSRF & Egress Controls

Tags: SSRF, Egress, IMDS

Question: Are APIs protected from SSRF by egress allowlists and metadata IP blocking?

Applicable Requirements:
- NIST 800-53: SC-7, SI-10
- ISO 27001: A.13.1.1
- SOC 2: CC6.7

Applicability: APIs fetching URLs or integrating server-side.

Expected Result: Proxy egress via allowlist; block 169.254.169.254/RFC1918 by default; validate scheme/host.

Why It Matters: Stops IMDS token theft, internal scanning, and pivoting.

Technical Breakdown:

  1. Use URL parsers; re-resolve DNS after redirect.
  2. Timeouts and size limits; proxy termination.
  3. Require IMDSv2 in clouds; disable hops from containers.
Deep Dive
API Security → Replay & Idempotency

Tags: Replay, HMAC, Payments

Question: Do write endpoints enforce idempotency keys and anti-replay (nonce/timestamp) in signatures?

Applicable Requirements:
- NIST 800-53: SC-23, SC-8(1)
- ISO 27001: A.12.1.2
- SOC 2: CC6.6

Applicability: Payments/provisioning/state-changing APIs.

Expected Result: Idempotency-Key header; dedup server-side; HMAC covers method+path+body+timestamp; skew ≤ 300s.

Why It Matters: Prevents double-spend and signature replay.

Technical Breakdown:

  1. Persist idempotency key+hash for ~24h.
  2. Reject stale timestamps; rotate signing keys.
  3. Log replay attempts to SIEM.
Deep Dive
API Security (AWS API Gateway) → AuthZ Policy Enforcement

Tags: Gateway, AuthZ

Question: Is authorization enforced at the gateway with per-route scopes/claims and deny-by-default?

Applicable Requirements:
- NIST 800-53: AC-3, AC-6
- SOC 2: CC6.6
- NIST CSF: PR.AC

Applicability: Public and partner APIs fronted by a gateway.

Expected Result: Routes map to required scopes/claims; explicit deny for unspecified routes.

Why It Matters: Centralized policy reduces drift and missed checks.

Technical Breakdown:

  1. Map routes→scopes; verify 'sub','aud','scp' claims.
  2. Deny unmatched paths; emit decision logs.

Example Config / Command:

# API Gateway usage plan throttle
aws apigateway update-usage-plan --usage-plan-id ABC       --patch-operations op=replace,path=/throttle/rateLimit,value=100
Deep Dive
  • AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
API Security (AWS API Gateway) → JWT Validation

Tags: JWT, JWKS

Question: Are JWTs validated for signature, expiration, audience, issuer, and key rotation (JWKS)?

Applicable Requirements:
- NIST 800-53: IA-2, SC-12
- ISO 27001: A.10.1.1
- SOC 2: CC6.1

Applicability: Any bearer-token protected API.

Expected Result: Signature verified; `exp` and `nbf` enforced; `aud`/`iss` exact match; cache JWKS with rotation.

Why It Matters: Invalid/replayed tokens must be blocked at edge.

Technical Breakdown:

  1. Pin issuer/audience; short token TTLs.
  2. Reject 'none' alg; validate kid/key presence.

Example Config / Command:

# API Gateway usage plan throttle
aws apigateway update-usage-plan --usage-plan-id ABC       --patch-operations op=replace,path=/throttle/rateLimit,value=100
Deep Dive
API Security (AWS API Gateway) → Request/Response Transformation Sanitization

Tags: Sanitization, PII

Question: Are transformations sanitizing sensitive headers/fields before passing to backends or clients?

Applicable Requirements:
- NIST 800-53: SI-10, SC-7
- SOC 2: CC7.2

Applicability: Edge/gateway performing mediation.

Expected Result: Strip Authorization on egress to client; remove Server/X-Powered-By; mask PII in error bodies.

Why It Matters: Prevents information leakage and confused deputy issues.

Technical Breakdown:

  1. Header allowlists; PII redaction; consistent error schema.

Example Config / Command:

# API Gateway usage plan throttle
aws apigateway update-usage-plan --usage-plan-id ABC       --patch-operations op=replace,path=/throttle/rateLimit,value=100
Deep Dive
  • AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
API Security (Azure API Management) → AuthZ Policy Enforcement

Tags: Gateway, AuthZ

Question: Is authorization enforced at the gateway with per-route scopes/claims and deny-by-default?

Applicable Requirements:
- NIST 800-53: AC-3, AC-6
- SOC 2: CC6.6
- NIST CSF: PR.AC

Applicability: Public and partner APIs fronted by a gateway.

Expected Result: Routes map to required scopes/claims; explicit deny for unspecified routes.

Why It Matters: Centralized policy reduces drift and missed checks.

Technical Breakdown:

  1. Map routes→scopes; verify 'sub','aud','scp' claims.
  2. Deny unmatched paths; emit decision logs.

Example Config / Command:
Deep Dive
API Security (Azure API Management) → JWT Validation

Tags: JWT, JWKS

Question: Are JWTs validated for signature, expiration, audience, issuer, and key rotation (JWKS)?

Applicable Requirements:
- NIST 800-53: IA-2, SC-12
- ISO 27001: A.10.1.1
- SOC 2: CC6.1

Applicability: Any bearer-token protected API.

Expected Result: Signature verified; `exp` and `nbf` enforced; `aud`/`iss` exact match; cache JWKS with rotation.

Why It Matters: Invalid/replayed tokens must be blocked at edge.

Technical Breakdown:

  1. Pin issuer/audience; short token TTLs.
  2. Reject 'none' alg; validate kid/key presence.

Example Config / Command:
Deep Dive
API Security (Azure API Management) → Request/Response Transformation Sanitization

Tags: Sanitization, PII

Question: Are transformations sanitizing sensitive headers/fields before passing to backends or clients?

Applicable Requirements:
- NIST 800-53: SI-10, SC-7
- SOC 2: CC7.2

Applicability: Edge/gateway performing mediation.

Expected Result: Strip Authorization on egress to client; remove Server/X-Powered-By; mask PII in error bodies.

Why It Matters: Prevents information leakage and confused deputy issues.

Technical Breakdown:

  1. Header allowlists; PII redaction; consistent error schema.

Example Config / Command:
Deep Dive
API Security (Apigee) → AuthZ Policy Enforcement

Tags: Gateway, AuthZ

Question: Is authorization enforced at the gateway with per-route scopes/claims and deny-by-default?

Applicable Requirements:
- NIST 800-53: AC-3, AC-6
- SOC 2: CC6.6
- NIST CSF: PR.AC

Applicability: Public and partner APIs fronted by a gateway.

Expected Result: Routes map to required scopes/claims; explicit deny for unspecified routes.

Why It Matters: Centralized policy reduces drift and missed checks.

Technical Breakdown:

  1. Map routes→scopes; verify 'sub','aud','scp' claims.
  2. Deny unmatched paths; emit decision logs.

Example Config / Command:



  1minute100
Deep Dive
API Security (Apigee) → JWT Validation

Tags: JWT, JWKS

Question: Are JWTs validated for signature, expiration, audience, issuer, and key rotation (JWKS)?

Applicable Requirements:
- NIST 800-53: IA-2, SC-12
- ISO 27001: A.10.1.1
- SOC 2: CC6.1

Applicability: Any bearer-token protected API.

Expected Result: Signature verified; `exp` and `nbf` enforced; `aud`/`iss` exact match; cache JWKS with rotation.

Why It Matters: Invalid/replayed tokens must be blocked at edge.

Technical Breakdown:

  1. Pin issuer/audience; short token TTLs.
  2. Reject 'none' alg; validate kid/key presence.

Example Config / Command:



  1minute100
Deep Dive
API Security (Apigee) → Request/Response Transformation Sanitization

Tags: Sanitization, PII

Question: Are transformations sanitizing sensitive headers/fields before passing to backends or clients?

Applicable Requirements:
- NIST 800-53: SI-10, SC-7
- SOC 2: CC7.2

Applicability: Edge/gateway performing mediation.

Expected Result: Strip Authorization on egress to client; remove Server/X-Powered-By; mask PII in error bodies.

Why It Matters: Prevents information leakage and confused deputy issues.

Technical Breakdown:

  1. Header allowlists; PII redaction; consistent error schema.

Example Config / Command:



  1minute100
Deep Dive
API Security (Kong Gateway) → AuthZ Policy Enforcement

Tags: Gateway, AuthZ

Question: Is authorization enforced at the gateway with per-route scopes/claims and deny-by-default?

Applicable Requirements:
- NIST 800-53: AC-3, AC-6
- SOC 2: CC6.6
- NIST CSF: PR.AC

Applicability: Public and partner APIs fronted by a gateway.

Expected Result: Routes map to required scopes/claims; explicit deny for unspecified routes.

Why It Matters: Centralized policy reduces drift and missed checks.

Technical Breakdown:

  1. Map routes→scopes; verify 'sub','aud','scp' claims.
  2. Deny unmatched paths; emit decision logs.

Example Config / Command:

plugins:
- name: rate-limiting
  config: { minute: 100, policy: redis }
Deep Dive
API Security (Kong Gateway) → JWT Validation

Tags: JWT, JWKS

Question: Are JWTs validated for signature, expiration, audience, issuer, and key rotation (JWKS)?

Applicable Requirements:
- NIST 800-53: IA-2, SC-12
- ISO 27001: A.10.1.1
- SOC 2: CC6.1

Applicability: Any bearer-token protected API.

Expected Result: Signature verified; `exp` and `nbf` enforced; `aud`/`iss` exact match; cache JWKS with rotation.

Why It Matters: Invalid/replayed tokens must be blocked at edge.

Technical Breakdown:

  1. Pin issuer/audience; short token TTLs.
  2. Reject 'none' alg; validate kid/key presence.

Example Config / Command:

plugins:
- name: rate-limiting
  config: { minute: 100, policy: redis }
Deep Dive
API Security (Kong Gateway) → Request/Response Transformation Sanitization

Tags: Sanitization, PII

Question: Are transformations sanitizing sensitive headers/fields before passing to backends or clients?

Applicable Requirements:
- NIST 800-53: SI-10, SC-7
- SOC 2: CC7.2

Applicability: Edge/gateway performing mediation.

Expected Result: Strip Authorization on egress to client; remove Server/X-Powered-By; mask PII in error bodies.

Why It Matters: Prevents information leakage and confused deputy issues.

Technical Breakdown:

  1. Header allowlists; PII redaction; consistent error schema.

Example Config / Command:

plugins:
- name: rate-limiting
  config: { minute: 100, policy: redis }
Deep Dive
API Security → HATEOAS & Method Safety

Tags: REST, Idempotency

Question: Are unsafe methods (PUT/POST/DELETE) protected by stricter authZ and idempotency?

Applicable Requirements:
- NIST 800-53: AC-6, SC-23
- SOC 2: CC6.6

Applicability: REST APIs

Expected Result: Unsafe methods require stronger scopes; GET is read-only; write ops idempotent.

Why It Matters: Limits damage from CSRF/abuse and accidental repeats.

Technical Breakdown:

  1. Method-based scopes; server-side checks; logging write ops.
Deep Dive
API Security → Bulk Export Controls

Tags: Exports, Signed URLs

Question: Are bulk export/download endpoints gated and monitored with short-lived URLs?

Applicable Requirements:
- NIST 800-53: AC-3, AU-6
- SOC 2: CC7.2

Applicability: Data export APIs

Expected Result: Signed URLs expire ≤ 10m; audit each export; throttle downloads; tenant ownership verified.

Why It Matters: Bulk data exfil is high-impact.

Technical Breakdown:

  1. Short TTL links; bind to client IP; watermarking.
Deep Dive
API Security → Webhooks Security

Tags: Webhooks, HMAC

Question: Are outbound webhooks signed, timestamped, and retried safely with backoff?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23
- SOC 2: CC6.6

Applicability: Integrations via webhooks

Expected Result: HMAC signatures with timestamp; replay protection; verified endpoint TLS; bounded retry.

Why It Matters: Prevents spoofing and replay.

Technical Breakdown:

  1. Include t=timestamp; reject skew; document signature scheme.
Deep Dive
API Security → PII Field Minimization

Tags: Hygiene, Baseline

Question: Are PII fields excluded by default from responses and logs with field-level allowlists?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: All internet-facing APIs.

Expected Result: Strict configs per control; deviations documented/approved.

Why It Matters: Reduces common misconfig and leakage patterns.

Technical Breakdown:

  1. Define baseline policies; automated scanning; SIEM alerts on drift.
Deep Dive
API Security → HTTP Verb Tunneling Disabled

Tags: Hygiene, Baseline

Question: Is verb tunneling (X-HTTP-Method-Override) disabled unless strictly required?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: All internet-facing APIs.

Expected Result: Strict configs per control; deviations documented/approved.

Why It Matters: Reduces common misconfig and leakage patterns.

Technical Breakdown:

  1. Define baseline policies; automated scanning; SIEM alerts on drift.
Deep Dive
API Security → Pagination Caps

Tags: Hygiene, Baseline

Question: Is server-side page size capped and cursors opaque?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: All internet-facing APIs.

Expected Result: Strict configs per control; deviations documented/approved.

Why It Matters: Reduces common misconfig and leakage patterns.

Technical Breakdown:

  1. Define baseline policies; automated scanning; SIEM alerts on drift.
Deep Dive
API Security → Deprecation & Sunset

Tags: Hygiene, Baseline

Question: Do you publish Sunset headers and block EOL API versions?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: All internet-facing APIs.

Expected Result: Strict configs per control; deviations documented/approved.

Why It Matters: Reduces common misconfig and leakage patterns.

Technical Breakdown:

  1. Define baseline policies; automated scanning; SIEM alerts on drift.
Deep Dive
API Security → Error Redaction

Tags: Hygiene, Baseline

Question: Are error messages sanitized with correlation IDs only?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: All internet-facing APIs.

Expected Result: Strict configs per control; deviations documented/approved.

Why It Matters: Reduces common misconfig and leakage patterns.

Technical Breakdown:

  1. Define baseline policies; automated scanning; SIEM alerts on drift.
Deep Dive
API Security → TLS1.2+ Only

Tags: Hygiene, Baseline

Question: Is TLS 1.2+ enforced with modern ciphers at API endpoints?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: All internet-facing APIs.

Expected Result: Strict configs per control; deviations documented/approved.

Why It Matters: Reduces common misconfig and leakage patterns.

Technical Breakdown:

  1. Define baseline policies; automated scanning; SIEM alerts on drift.
Deep Dive
API Security → HSTS Preload

Tags: Hygiene, Baseline

Question: Is HSTS enabled and preloaded for API domains where applicable?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: All internet-facing APIs.

Expected Result: Strict configs per control; deviations documented/approved.

Why It Matters: Reduces common misconfig and leakage patterns.

Technical Breakdown:

  1. Define baseline policies; automated scanning; SIEM alerts on drift.
Deep Dive
API Security → IP Allowlisting (Admin APIs)

Tags: Hygiene, Baseline

Question: Are admin APIs behind IP/device allowlists plus MFA?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: All internet-facing APIs.

Expected Result: Strict configs per control; deviations documented/approved.

Why It Matters: Reduces common misconfig and leakage patterns.

Technical Breakdown:

  1. Define baseline policies; automated scanning; SIEM alerts on drift.
Deep Dive
API Security → Caching Controls

Tags: Hygiene, Baseline

Question: Are cache headers correct to prevent sensitive data caching?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: All internet-facing APIs.

Expected Result: Strict configs per control; deviations documented/approved.

Why It Matters: Reduces common misconfig and leakage patterns.

Technical Breakdown:

  1. Define baseline policies; automated scanning; SIEM alerts on drift.
Deep Dive
API Security → Content-Type Strictness

Tags: Hygiene, Baseline

Question: Do endpoints enforce strict Content-Type and reject ambiguous types?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: All internet-facing APIs.

Expected Result: Strict configs per control; deviations documented/approved.

Why It Matters: Reduces common misconfig and leakage patterns.

Technical Breakdown:

  1. Define baseline policies; automated scanning; SIEM alerts on drift.
Deep Dive
API Security → Gateway JWT Validation (AWS)

Tags: AWS, JWT

Question: Are JWTs validated (sig/exp/nbf/aud/iss) at the gateway with key rotation (JWKS)?

Applicable Requirements:
- NIST 800-53: IA-2, SC-12
- ISO 27001: A.10.1.1
- SOC 2: CC6.1

Applicability: Bearer-token protected APIs.

Expected Result: Signature verified; `exp`/`nbf` enforced; `aud`/`iss` exact; JWKS cached/rotated.

Why It Matters: Invalid/replayed tokens blocked at edge.

Technical Breakdown:

  1. Reject 'none' alg; pin issuer/audience; short TTLs.
  2. AWS API Gateway JWT scopes

Example Config / Command:

# Lambda Authorizer (pseudo) validating scope/audience
if not ('admin:write' in claims['scope'] and claims['aud'] == API_AUD):
    deny()
Deep Dive
API Security → Gateway JWT Validation (Azure)

Tags: Azure, APIM, JWT

Question: Are JWTs validated (sig/exp/nbf/aud/iss) at the gateway with key rotation (JWKS)?

Applicable Requirements:
- NIST 800-53: IA-2, SC-12
- ISO 27001: A.10.1.1
- SOC 2: CC6.1

Applicability: Bearer-token protected APIs.

Expected Result: Signature verified; `exp`/`nbf` enforced; `aud`/`iss` exact; JWKS cached/rotated.

Why It Matters: Invalid/replayed tokens blocked at edge.

Technical Breakdown:

  1. Reject 'none' alg; pin issuer/audience; short TTLs.
  2. Azure APIM validate-jwt

Example Config / Command:


  
  api://app-id
Deep Dive
API Security → Gateway JWT Validation (Apigee)

Tags: Apigee, JWT

Question: Are JWTs validated (sig/exp/nbf/aud/iss) at the gateway with key rotation (JWKS)?

Applicable Requirements:
- NIST 800-53: IA-2, SC-12
- ISO 27001: A.10.1.1
- SOC 2: CC6.1

Applicability: Bearer-token protected APIs.

Expected Result: Signature verified; `exp`/`nbf` enforced; `aud`/`iss` exact; JWKS cached/rotated.

Why It Matters: Invalid/replayed tokens blocked at edge.

Technical Breakdown:

  1. Reject 'none' alg; pin issuer/audience; short TTLs.
  2. Apigee JWT-Verify

Example Config / Command:


  request.header.Authorization
  false
Deep Dive
API Security → Gateway JWT Validation (Kong)

Tags: Kong, OIDC

Question: Are JWTs validated (sig/exp/nbf/aud/iss) at the gateway with key rotation (JWKS)?

Applicable Requirements:
- NIST 800-53: IA-2, SC-12
- ISO 27001: A.10.1.1
- SOC 2: CC6.1

Applicability: Bearer-token protected APIs.

Expected Result: Signature verified; `exp`/`nbf` enforced; `aud`/`iss` exact; JWKS cached/rotated.

Why It Matters: Invalid/replayed tokens blocked at edge.

Technical Breakdown:

  1. Reject 'none' alg; pin issuer/audience; short TTLs.
  2. Kong OIDC plugin

Example Config / Command:

plugins:
- name: oidc
  config:
    bearer_only: yes
    filters: ["/public"]
Deep Dive
API Security → Domain Controls: Authentication Brute Force Protections

Tags: API

Question: Is the following control enforced: Authentication Brute Force Protections?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Public login endpoints

Expected Result: Rate limits + captcha after threshold; lock-out with safe reset

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: Password Reset Hardening

Tags: API

Question: Is the following control enforced: Password Reset Hardening?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Password reset flows

Expected Result: Token single-use, short TTL; IP/device bind; reset audit

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: Admin API IP Allowlist

Tags: API

Question: Is the following control enforced: Admin API IP Allowlist?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Administrative API endpoints

Expected Result: Allowlisted IP/device; strong MFA; additional scopes

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: PII Redaction in Logs

Tags: API

Question: Is the following control enforced: PII Redaction in Logs?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Any PII-handling endpoints

Expected Result: Structured logs with redaction; PII fields masked

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: PII Field-Level Encryption

Tags: API

Question: Is the following control enforced: PII Field-Level Encryption?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Sensitive PII (SSN/passport)

Expected Result: Encrypt fields at app layer (FPE/TDE) with KMS keys

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: File Type Allowlist

Tags: API

Question: Is the following control enforced: File Type Allowlist?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: File upload APIs

Expected Result: Strict MIME allowlist; AV scan; sandbox

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: Image Processing Sandbox

Tags: API

Question: Is the following control enforced: Image Processing Sandbox?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Image manipulation services

Expected Result: Isolated sandbox; library patching; resource caps

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: Signed URL Expiry

Tags: API

Question: Is the following control enforced: Signed URL Expiry?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Object download APIs

Expected Result: Short-lived (≤10m) signed URLs; bind to IP if feasible

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: GraphQL Persisted Queries

Tags: API

Question: Is the following control enforced: GraphQL Persisted Queries?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: GraphQL in production

Expected Result: Only allow persisted/whitelisted queries

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: SOAP WS-Security

Tags: API

Question: Is the following control enforced: SOAP WS-Security?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Legacy SOAP APIs

Expected Result: WS-Security with signatures+encryption; timestamp replay defense

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: gRPC AuthZ Interceptors

Tags: API

Question: Is the following control enforced: gRPC AuthZ Interceptors?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: gRPC services

Expected Result: AuthZ interceptors on each method; mTLS

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: Pagination Abuse Prevention

Tags: API

Question: Is the following control enforced: Pagination Abuse Prevention?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Listing endpoints

Expected Result: Cursor-based pagination; max limit; anti-scrape

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: HTTP/2 Downgrade Protection

Tags: API

Question: Is the following control enforced: HTTP/2 Downgrade Protection?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Edge/API gateways

Expected Result: Force HTTP/2 where supported; ALPN checks

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: Cache Poisoning Defense

Tags: API

Question: Is the following control enforced: Cache Poisoning Defense?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Proxies caching API responses

Expected Result: Vary headers correct; no caching of sensitive data

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Domain Controls: JSONP/Callback Disabled

Tags: API

Question: Is the following control enforced: JSONP/Callback Disabled?

Applicable Requirements:
- NIST 800-53: SC-23, SI-10, AC-6
- SOC 2: CC6.6, CC7.2

Applicability: Legacy APIs

Expected Result: Disable JSONP; CORS instead

Why It Matters: Closes common attack paths across API domains.

Technical Breakdown:

  1. Threat-model per endpoint; instrument metrics; auto-block anomalies.
Deep Dive
API Security → Advanced Controls: HSTS for API Subdomains

Tags: API-Advanced

Question: Is the following control enforced: HSTS for API Subdomains?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: API subdomains

Expected Result: HSTS max-age≥6m; includeSubDomains; preload where safe

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: TLS Client Renegotiation Disabled

Tags: API-Advanced

Question: Is the following control enforced: TLS Client Renegotiation Disabled?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: TLS listeners

Expected Result: Disable insecure renegotiation

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: Strict Content-Length

Tags: API-Advanced

Question: Is the following control enforced: Strict Content-Length?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Proxies/backends

Expected Result: Validate Content-Length to prevent request smuggling

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: Proxy Header Sanitation

Tags: API-Advanced

Question: Is the following control enforced: Proxy Header Sanitation?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Behind proxies

Expected Result: Sanitize X-Forwarded-For/Proto/Host; set trusted proxies

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: HTTP Request Smuggling Defense

Tags: API-Advanced

Question: Is the following control enforced: HTTP Request Smuggling Defense?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Reverse proxies

Expected Result: Normalize hop-by-hop headers; single parser path

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: gZIP/Brotli Limits

Tags: API-Advanced

Question: Is the following control enforced: gZIP/Brotli Limits?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Compression

Expected Result: Limit compression to safe types; size limits

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: JSON Number Bounds

Tags: API-Advanced

Question: Is the following control enforced: JSON Number Bounds?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Parsers

Expected Result: Set numeric bounds to prevent overflows

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: XML External Entity (XXE) Off

Tags: API-Advanced

Question: Is the following control enforced: XML External Entity (XXE) Off?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: XML endpoints

Expected Result: Disable external entities and DTDs

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: CSP for Interactive Docs

Tags: API-Advanced

Question: Is the following control enforced: CSP for Interactive Docs?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Swagger/Redoc UI

Expected Result: CSP to restrict script origins; auth gating

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: API Key Scoping

Tags: API-Advanced

Question: Is the following control enforced: API Key Scoping?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Key-based APIs

Expected Result: Scope keys per app/tenant/environment

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: 429 Retry Guidance

Tags: API-Advanced

Question: Is the following control enforced: 429 Retry Guidance?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Client integration

Expected Result: Return Retry-After and error schema for rate limits

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: Partial Failure Semantics

Tags: API-Advanced

Question: Is the following control enforced: Partial Failure Semantics?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Batch endpoints

Expected Result: Per-item errors; bounded batch sizes

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: Field Projection Allowlist

Tags: API-Advanced

Question: Is the following control enforced: Field Projection Allowlist?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Listing endpoints

Expected Result: Allow projection of known fields only

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: Sensitive Headers Blocklist

Tags: API-Advanced

Question: Is the following control enforced: Sensitive Headers Blocklist?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Edge/gateway

Expected Result: Block forwarding of Authorization, Cookie to untrusted

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: JSON Logging Only

Tags: API-Advanced

Question: Is the following control enforced: JSON Logging Only?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Servers

Expected Result: Disable concatenated/printf logs to avoid injection

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: Time Skew Handling

Tags: API-Advanced

Question: Is the following control enforced: Time Skew Handling?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Signed requests

Expected Result: Allowed skew ≤300s; return server time hints

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: Client Clock Guidance

Tags: API-Advanced

Question: Is the following control enforced: Client Clock Guidance?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: SDKs

Expected Result: SDKs sync time via NTP APIs; retries for skew

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: TLS Session Tickets Rotation

Tags: API-Advanced

Question: Is the following control enforced: TLS Session Tickets Rotation?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Edge

Expected Result: Rotate tickets; disable resumption across long windows

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: OCSP/CRL Fail-Closed (Internal)

Tags: API-Advanced

Question: Is the following control enforced: OCSP/CRL Fail-Closed (Internal)?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: mTLS

Expected Result: Fail-closed on revoked client certs

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
API Security → Advanced Controls: API Threat Modeling Registry

Tags: API-Advanced

Question: Is the following control enforced: API Threat Modeling Registry?

Applicable Requirements:
- NIST 800-53: SC-8, SC-23, SI-10
- SOC 2: CC6.6, CC7.2

Applicability: Program

Expected Result: Registry mapping endpoints→threats→controls

Why It Matters: Addresses subtle yet high-impact API weaknesses.

Technical Breakdown:

  1. Harden edge parsing; unify proxy/parser behavior; publish client guidance.
Deep Dive
© API Security (expanded)74 items • Security Review Playbook — Corey Potter • Built for expert threat modeling