By 8 min read

I’ve spent the last 25 years building—and breaking—a wide variety of APIs, and one lesson has stood out more than any other: security is never “done.” In this deep dive, I’ll walk you through the most common mistakes I’ve seen (even from seasoned engineers), share real-world consequences, and offer concrete, step-by-step advice for both REST and GraphQL APIs. Strap in—this is a journey through decades of hard-earned lessons.

Why API Security Matters

APIs are the backbone of modern applications—powering mobile apps, single-page web apps, IoT devices, and even partner integrations. Yet they also represent one of the most frequent vectors for data breaches and service disruptions. In 2024 alone, over 40% of reported data leaks involved misconfigured or insecure APIs, according to industry surveys.¹ As I often remind my teams, “An insecure API is like an unlocked front door—you may not notice right away, but someone will stroll in eventually.”

“APIs are the new attack surface. If you leave a crack, adversaries will pry it open.”
— Tech Security Weekly, 2024

Securing your APIs isn’t a one-off task; it’s an ongoing practice woven into your design, development, and deployment cycles.

Common Mistakes Even Experienced Developers Make

In my career, I’ve audited hundreds of APIs. Here are the top blunders I keep encountering:

  1. Overly Permissive CORS Policies
     Granting broad cross-origin access without validating origins.

  2. Insufficient Authentication & Authorization
     Assuming user identity is always trustworthy, or over-relying on client-side controls.

  3. Lack of Rate Limiting
     Leaving endpoints open to brute-force or denial-of-service attacks.

  4. Exposing Internal Error Details
     Returning full stack traces in JSON responses, which reveal your technology stack.

  5. Inadequate Input Validation
     Allowing SQL- and NoSQL-injection, or failing to sanitize GraphQL queries.

  6. Ignoring TLS Best Practices
     Using deprecated ciphers or allowing weak SSL versions.

  7. Deploying with Debug Flags Enabled
     Accidentally shipping code with DEBUG=true, exposing sensitive data in logs.


Real-World Examples and Remedies

Below is a snapshot of mistakes I’ve encountered, their consequences, and the fixes I recommended:

MistakeConsequenceMy Recommendation
Open Access-Control-Allow-Origin: *Attackers host malicious front-ends that hijack tokensRestrict CORS to known domains
Missing JWT revocationUsers retain access after password reset or compromiseImplement token blacklists or short TTLs
Unthrottled login endpointCredential-stuffing and account lockoutsEnforce rate limits and account lockouts
Verbose error messagesLeakage of schema, libraries, and framework versionsReturn generic errors; log details server-side
GraphQL introspection in productionExposes full schema, enabling targeted attacksDisable introspection or whitelist fields
Allowing eval() in input handlingRemote code execution via malicious payloadsUse safe parsers; never evaluate raw input
Hard-coded API keys in repositoriesComplete account takeover if code is leakedUse vaults or environment variables only

Best Practices for REST APIs

When designing or reviewing a REST API, I always follow these steps:

  • Enforce Principle of Least Privilege
     Ensure every endpoint checks both authentication (who you are) and authorization (what you can do). I once saw a payment API that let any authenticated user trigger refunds for any order ID—disaster waiting to happen.

  • Validate Inputs Rigorously
     Use schema validation libraries (e.g., Joi, JSON Schema) to reject unexpected or malicious payloads. I recommend centralizing validation logic so that every microservice enforces the same rules.

  • Implement Rate Limiting & Throttling
     Protect critical endpoints (login, password reset, data exports) with IP-based or token-based throttles. In one incident, a client lost service for hours because a competitor launched a brute-force campaign against their unsecured billing API.

  • Sanitize All Outputs
     Never reflect raw user input back to clients without encoding or escaping. This prevents cross-site scripting (XSS) in API-driven UIs.

  • Adopt Secure Defaults
     Ship frameworks and libraries with safe default settings. Audit your dependencies quarterly and subscribe to vulnerability alerts.


Securing GraphQL Endpoints

GraphQL’s flexibility brings unique risks. Here’s how I harden my GraphQL servers:

  1. Query Depth Limiting
     Prevent deeply nested queries that exhaust server resources. I usually cap depth at 5 levels for public endpoints.

  2. Complexity Analysis
     Assign cost scores to fields and reject queries surpassing a complexity threshold. For example, a single user { posts { comments } } query might count as 10 points—reject anything over 100.

  3. Disable Introspection in Production
     Avoid exposing your entire schema to untrusted clients. I keep introspection enabled in staging but turn it off behind a feature flag in production.

  4. Field-Level Authorization
     Enforce per-field access controls—just because a user can query user.email doesn’t mean they should. I integrate with my RBAC system at the resolver level.

  5. Batch Request Protection
     Block or throttle persisted query abuse by validating incoming operation IDs.


Two Lists of Critical Security Measures

Below are two focused checklists you can integrate into your sprint reviews:

Checklist A: Pre-Deployment Security Gates

  • Dependency vulnerability scan passed

  • Linting enforces secure code patterns

  • Automated penetration tests green

  • Secrets not present in codebase

  • TLS certificates up-to-date and pinned


Checklist B: Live Production Monitoring

  1. Alert on spikes in 4xx/5xx status codes

  2. Monitor average response times for anomalies

  3. Track unusual spike in GraphQL query complexity

  4. Log and review all CORS rejections

  5. Rotate keys and tokens periodically


“You can’t secure what you don’t understand.”
— In my many years of API security audits, the first step is always a complete map of your endpoints, data flows, and trust boundaries.

Layered Defense: Putting It All Together

API security isn’t a checkbox—it’s layered defense. Here’s my recommended approach:

  1. Design Phase

    • Threat model your API before writing code.

    • Define clear trust zones and data sensitivity levels.

  2. Development Phase

    • Integrate static analysis tools (SAST) into your CI pipeline.

    • Write unit tests for every custom security rule.

  3. Pre-Production Phase

    • Run dynamic analysis (DAST) against staging APIs.

    • Perform manual code reviews for critical endpoints.

  4. Production Phase

    • Enforce Web Application Firewalls (WAF) with API-aware rules.

    • Continuously monitor logs and metrics for anomalies.

  5. Post-Incident Phase

    • Conduct root-cause analysis and update playbooks.

    • Share learnings across teams and update your API security guidelines.


Securing APIs is a living process. By learning from the mistakes above and embedding security into every phase—design through monitoring—you’ll stay one step ahead of attackers and sleep a little easier at night. Remember: “Security isn’t a product; it’s a process.”