Section 31 · API & Security

API Design

Audit guide for API versioning, input validation, injection prevention, and gateway configuration.

6 items 3 critical 3 recommended

This guide walks you through auditing a project's API design practices - versioning strategy, input validation, injection prevention, and gateway/proxy configuration.

The Goal: Secure by Design

APIs are your attack surface. This audit ensures your endpoints are hardened against injection attacks and architected for safe, consistent behavior.

  • Consistent — APIs use versioning strategies appropriate to their audience (public vs internal)
  • Validated — All user input is validated server-side before processing
  • Injection-proof — Database queries are protected through parameterized queries or ORM usage
  • XSS-safe — User-generated content is properly sanitized before rendering
  • Centralized — Authentication, rate limiting, and CORS are handled via gateway or proxy configuration

Before You Start

  1. Identify API architecture (REST, GraphQL, gRPC, internal vs public)
  2. Identify backend framework (Express, Fastify, Django, Flask, Go, etc.)
  3. Check if API is public or internal-only (versioning more important for public)
  4. Identify database access pattern (ORM vs raw queries)

general

API-001
API versioning strategy recommended

API uses consistent versioning approach (URL or header) or intentionally omits versioning for internal/early-stage APIs

“What breaks when you ship a breaking change today?”
API-002
API deprecation strategy recommended

If multiple API versions exist, there is a documented plan for sunsetting old versions with migration guidance

“How many dead API versions are still running in prod?”
API-003
Server-side input validation critical

All user input is validated on the server using a validation library before processing

“What stops someone from sending you 10MB of garbage as a name field?”
API-004
SQL injection prevention critical

Database queries use ORM methods or parameterized queries - no string concatenation with user input

“Any raw SQL anywhere in this codebase with user input in it?”
API-005
XSS prevention critical

User-generated content is escaped or sanitized before rendering to prevent script injection

“Could a user store a script that runs in another user's browser?”
API-006
API gateway / proxy configuration recommended

API uses gateway for centralized concerns or has properly configured CORS with whitelisted origins

“Who else's origin can call your API right now?”
← Previous section

Rate Limiting

3 items

 Next section →

Content Security Policy

4 items