API Security Done Right — OWASP Top 10 Visual Guide

APIs are the front door to your data. Every mobile app, every SPA, every microservice communicates through APIs. And most API security is an afterthought — bolted on after the endpoints are built, if at all.

The OWASP API Security Top 10 isn’t theoretical. It’s a list compiled from thousands of real penetration tests and bug bounty reports. These are the vulnerabilities pentesters find every single time.

1. The Top 5 That Hit Hardest

Broken authorization (API1) alone accounts for more data breaches than all other API vulnerabilities combined. It’s not a sophisticated attack — it’s literally changing an ID in the URL and seeing someone else’s data.

OWASP API Top 10 — The 5 That Hit Most

API1Broken Object Level AuthorizationCritical

User A can access User B's data by changing the ID in the URL: /api/users/123/orders → change to /api/users/456/orders. No authorization check on the object.

Fix: Check that the authenticated user owns the requested resource. EVERY endpoint. No exceptions.

API2Broken AuthenticationCritical

Weak token validation, missing rate limits on login, no MFA, predictable tokens, tokens that never expire.

Fix: Short-lived JWTs, validate all claims (iss, aud, exp), rate-limit auth endpoints, require MFA for sensitive operations.

API3Broken Object Property Level AuthHigh

User can read fields they shouldn't (mass assignment). API returns salary, ssn because the whole object is serialized without filtering response fields.

Fix: Explicit allowlist of response fields per role. Never return the raw database object. Use DTOs.

API4Unrestricted Resource ConsumptionHigh

No rate limiting. No pagination limits. User requests ?page_size=1000000 and your server OOMs. Or they call your AI endpoint 50K times and you get a $10K bill.

Fix: Rate limiting per user/IP, max page_size, request body size limits, cost-based throttling for expensive operations.

API5Broken Function Level AuthorizationHigh

Regular user can call admin endpoints. POST /api/admin/delete-user works because the endpoint exists and authorization isn't checked.

Fix: Default deny. Every endpoint requires explicit role/permission check. Admin routes behind separate middleware.

The uncomfortable pattern: all five of these are authorization and validation failures, not encryption weaknesses. Your TLS can be perfect, your password hashing flawless, and if you don’t check user_id == authenticated_user.id on every object access, none of it matters. The most common API vulnerability is the simplest one.

2. Defense in Depth

API security isn’t one layer. It’s five layers, each catching what the previous one missed. If your WAF fails, authentication catches it. If authentication is bypassed, authorization blocks unauthorized access. If authorization has a gap, input validation prevents injection. Defense in depth means no single failure is catastrophic.

Defense Layers — Outside In

WAF / API GatewayRate limiting, bot detection, IP filtering, request size limits, DDoS protection

AuthenticationJWT validation, API key verification, OAuth token introspection, mTLS for service-to-service

AuthorizationRBAC/ABAC policy checks, object-level ownership validation, permission boundaries

Input ValidationSchema validation (JSON Schema/Zod), sanitization, SQL injection prevention, type coercion

Business LogicDomain-specific rules, idempotency, race condition prevention, transaction isolation

The mistake I see: teams invest heavily in L1 (WAF, API Gateway) and skip L3-L5. A WAF can’t check whether user 123 owns order 456. That’s business logic authorization — and it must be in your application code. No amount of infrastructure protects against broken application logic.

3. The Practical Checklist

Security audits find the same gaps repeatedly. This checklist covers the configuration and implementation items that prevent 90% of common API vulnerabilities.

API Security Checklist

Transport

☐ TLS 1.3 everywhere

☐ HSTS header

☐ No mixed content

☐ Certificate pinning (mobile)

Auth

☐ Short-lived tokens (15 min)

☐ Refresh token rotation

☐ Rate limit login/register

☐ Validate all JWT claims

Input

☐ Schema validation on all inputs

☐ Parameterized queries

☐ Content-Type validation

☐ Max body size enforced

Output

☐ Never expose stack traces

☐ Filter response fields by role

☐ Security headers set

☐ CORS properly configured

Start with the items that have the highest impact for the lowest effort: schema validation (catches injection), rate limiting (prevents abuse), and object-level authorization checks (prevents the #1 vulnerability). These three alone block the majority of real-world attacks. Add the rest incrementally.