You've implemented OAuth 2.0. You're using HTTPS everywhere. Your APIs require authentication. You think you're secure. You're probably not.
The OWASP API Security Top 10 exists because traditional web security thinking doesn't fully apply to APIs. Here are the vulnerabilities most teams overlook.
1. Broken Object-Level Authorization (BOLA)
The most common API vulnerability. Your API authenticates users but doesn't properly authorize access to specific objects.
The attack is simple: change /api/users/123/orders to /api/users/124/orders. Does the API check if the authenticated user can access user 124's orders? Most don't.
Fix it:
- Check authorization for every object access, not just authentication
- Use indirect references (GUIDs) instead of sequential IDs
- Implement authorization at the data layer, not just the API layer
2. Excessive Data Exposure
APIs often return entire objects, relying on the frontend to filter sensitive fields. Attackers don't use your frontend.
Your user endpoint might return:
{"id": 123, "email": "user@example.com", "password_hash": "...", "ssn": "..."}Fix it:
- Return only the fields the client needs
- Create different response schemas for different contexts
- Never trust the frontend to handle data filtering
3. Lack of Rate Limiting
Without rate limits, attackers can brute-force credentials, enumerate users, or simply overwhelm your infrastructure.
Fix it:
- Implement rate limiting per user, IP, and endpoint
- Use progressive delays for repeated failures
- Apply stricter limits to sensitive endpoints (login, password reset)
4. Broken Function-Level Authorization
Different from BOLA—this is about accessing admin functions, not admin data. Can a regular user hit /api/admin/delete-user?
Fix it:
- Define clear roles and permissions
- Check authorization on every endpoint, not just at the router level
- Separate admin APIs from user APIs, ideally on different infrastructure
5. Mass Assignment
APIs that accept JSON often bind it directly to objects. Send unexpected fields, and they might stick:
{"name": "John", "email": "john@example.com", "is_admin": true}Fix it:
- Explicitly define which fields are writable
- Use DTOs/schemas that only include expected fields
- Never bind request data directly to database models
6. Security Misconfiguration
Verbose error messages, debug endpoints in production, permissive CORS policies, missing security headers—the basics that get forgotten.
API security isn't a feature you add—it's a mindset you apply to every line of code.
Testing Your APIs
Automated scanning catches only surface issues. For real API security:
- Test authorization with different user contexts
- Attempt parameter tampering manually
- Review what data each endpoint returns
- Check rate limiting under realistic attack scenarios
- Engage penetration testers who specialize in APIs
The Cultural Shift
Security can't be an afterthought or a separate team's responsibility. Every developer building APIs needs to think like an attacker. What would you try if you wanted to break this endpoint?
The APIs you build today are the attack surface of tomorrow. Design them defensively from the start.