OWASP API security top 10

---
template: true
about: The OWASP API Security Top 10 (2023) — the most critical security risks to APIs. Use this checklist when designing or reviewing a REST, GraphQL, or RPC API.
---

# OWASP API security top 10

## API1 Broken object level authorization

- [ ] Implement an authorization mechanism that checks the logged-in user against the requested object
- [ ] Use the authorization mechanism in every function that accesses a data source through user input
- [ ] Prefer random and unpredictable values (GUIDs) for record IDs
- [ ] Write tests that confirm authorization cannot be bypassed
- [ ] Avoid checking object ownership only at the UI or client layer

## API2 Broken authentication

- [ ] Identify all possible flows to authenticate to the API (mobile, web, deep links)
- [ ] Do not reinvent the wheel — use standard authentication, token generation, and password storage
- [ ] Treat credential recovery and password reset flows as login from a security standpoint
- [ ] Require multi-factor authentication for sensitive operations
- [ ] Implement account lockout and CAPTCHA to prevent brute force
- [ ] Do not use API keys for user authentication; use them for client app authentication only

## API3 Broken object property level authorization

- [ ] Avoid generic methods that automatically bind client input to internal objects
- [ ] Allow only changes to properties the user should be able to update
- [ ] Use a schema-based response validation mechanism to enforce returned fields
- [ ] Keep returned data structures to the bare minimum required by the consumer

## API4 Unrestricted resource consumption

- [ ] Use a container or serverless solution that lets you limit memory, CPU, and disk
- [ ] Define and enforce a maximum size for all incoming parameters and payloads
- [ ] Implement a limit on how often a client can interact with the API in a defined timeframe
- [ ] Limit billing-impactful operations (SMS, email, calls) per client
- [ ] Add server-side validation for query string and request body parameters
- [ ] Set a spending limit for any third-party service provider

## API5 Broken function level authorization

- [ ] Deny all access by default; require explicit grants for specific roles
- [ ] Review API endpoints against function-level authorization flaws
- [ ] Ensure administrative controllers inherit from an admin abstract controller
- [ ] Ensure regular controllers do not implement administrative functions

## API6 Unrestricted access to sensitive business flows

- [ ] Identify business flows that could harm the business if abused (signup, purchase, comment)
- [ ] Use device fingerprinting to deny unexpected client devices
- [ ] Use human detection (CAPTCHA, biometric) for suspicious flows
- [ ] Analyze traffic for irregular patterns (data center IPs, automation tools)
- [ ] Block known proxy and Tor exit node IP addresses from sensitive flows

## API7 Server side request forgery

- [ ] Isolate the resource fetching mechanism in your network
- [ ] Use an allow-list of remote origins users are expected to download from
- [ ] Disable HTTP redirections, or validate the destination of each redirect
- [ ] Use a well-tested URL parser to avoid issues from inconsistent parsing
- [ ] Validate and sanitize all client-supplied input data
- [ ] Do not send raw responses to clients

## API8 Security misconfiguration

- [ ] Use a repeatable hardening process for fast and easy deployment
- [ ] Review and update configurations across the API stack regularly
- [ ] Ensure all API communications use TLS, even for internal APIs
- [ ] Specify which HTTP verbs each API can be accessed by; disable all others
- [ ] Ensure APIs intended for browser clients implement a proper CORS policy
- [ ] Define and enforce all API response payload schemas

## API9 Improper inventory management

- [ ] Inventory all API hosts and document important aspects of each
- [ ] Inventory integrated services and document their roles and data
- [ ] Document API endpoints, parameters, requests, and responses
- [ ] Generate documentation automatically as part of CI/CD
- [ ] Avoid using production data with non-production API deployments
- [ ] Retire old API versions or backport security fixes to them

## API10 Unsafe consumption of APIs

- [ ] Validate and sanitize data received from integrated APIs before using it
- [ ] Always encrypt communications with third-party APIs using TLS
- [ ] Maintain an allow-list of locations the API may redirect to
- [ ] Do not blindly follow redirects; check them against the allow-list
- [ ] Define and enforce timeouts when interacting with third-party services