Main takeaways from this article:
API security detects and resolves threats like broken object-level authorizations, unrestricted resource consumption, and more within APIs to reduce exploitations.
Common best practices to secure APIs include continuous API discovery, limiting data exposure, and using gateways to centralize security controls.
Authenticating APIs includes critical steps like adopting OAuth or OIDC to secure access control and allow users to grant third-party applications access without exposing their credentials.
A single compromised API key opened the door to a Chinese government hack of the US Department of the Treasury.
A cloud security solution can offer a more secure API infrastructure today and as the landscape evolves.
API security detects and resolves vulnerabilities immediately so you can reduce the risk of exploitation.
Below, we’ll dive into best practices for APIs. Then we’ll introduce the architectural components and foundations of API security and how you can consolidate your ecosystem with a cloud security platform.
If you want to jump into a specific practice now, you can navigate to the specific section below:
11 API security best practices and recommendations
Let’s explore 11 best practices and advanced insights to help you strengthen your API security tools and strategy:
1. Implement Continual API discovery
# Example code for API discovery
import requests
response = requests.get('https://api.yourapp.com/discover')
if response.status_code == 200:
print("API is active and discoverable.")APIs can quickly go missing in the vast software development landscape—but they don’t have to. You can consistently discover and catalog APIs to stay aware of all active interfaces and reduce the risk of overlooked vulnerabilities.
Regular audits allow you to identify and document all active APIs to verify that they adhere to security standards. You can use a feature like Wiz’s Dynamic Scanner, for example, to automate the discovery process.
Continuous API discovery also helps you identify shadow APIs, which are unauthorized or forgotten APIs that developers deploy. These APIs pose security risks to your system because your teams likely aren’t performing regular security checks on them. For example, developers may create a potential vulnerability when they deploy an API endpoint like /old_endpoint for a beta feature and never remove it.
To fix this, you should implement a system to detect and manage unauthorized or forgotten APIs. From there, you can either bring them into compliance or decommission them.
2. Encrypt traffic in every direction
// Example code to enforce HTTPS
if (window.location.protocol !== "https:") {
window.location.protocol = "https:";
}Encrypting data as it travels between the user and the API ensures its integrity and confidentiality. Two-way encryptions, like using HTTPS with a valid SSL certificate, ensures encrypted communication so you can safeguard sensitive information.
Transport Layer Security (TLS), particularly for REST APIs, is a critical part of a secure connection. TLS protects data through end-to-end encryption so API keys and token access won’t be exposed during transmission. Current versions provide the latest security features and reduce APIs’ vulnerability to attacks like man-in-the-middle attacks, message tampering, and forgery.
3. Authenticate and authorize everything
// Example JWT validation
const jwt = require('jsonwebtoken');
const token = JWT_TOKEN";
const secret = SECRET_KEY";
try {
const decoded = jwt.verify(token, secret);
console.log(decoded);
} catch(err) {
console.log("Invalid token.");
}Authenticating all API requests allows you to make sure that they come from trusted sources. For example, you can use JSON Web Tokens to verify users’ identity effectively.
OAuth and OIDC also provide secure access control and allow users to grant third-party applications limited access to their resources without exposing their credentials.
4. Follow the principle of least privilege
# Example RBAC check
def has_permission(user, action):
roles = user.get_roles()
for role in roles:
if action in role.permissions:
return True
return FalseGrant every user or system interacting with your API only the minimum necessary access rights for their roles. For example, you can use role-based access control to define and enforce these privileges.
Following the principle of least privilege (PoLP) limits the potential damage a malicious actor can inflict if they gain access.
5. Be diligent about API documentation
Outdated API documentation can lead to misuse or unintended vulnerabilities. When you change an API, update your documentation as well to reflect those changes. Additionally, document every endpoint, including those for internal use, to help developers understand proper usage and potential risks.
Tools like Redoc can simplify this process by providing interactive API documentation. Similarly, Swagger can auto-generate documentation to ensure consistency and comprehensiveness.
6. Validate your data
// Example input validation
const { check, validationResult } = require('express-validator');
app.post('/user', [
check('username').isAlphanumeric(),
check('password').isLength({ min: 5 })
], (req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// Continue processing
});Malicious actors frequently launch injection attacks by introducing harmful data via APIs. However, implementing strict validation can prevent such attacks. Libraries like express-validator in Node.js assist with input validation, making it easier to secure your APIs.
You can also verify that the data structure and size follow predefined schemas to prevent buffer overflow attacks and other potential vulnerabilities.
7. Limit Data exposure
Your API should return only the data that is necessary for its function. Excessive data exposure increases the risk of unintended data breaches.
Always encrypt sensitive data, such as passwords, credit card numbers, and personal identification information, both at rest and in transit. Object-relational mapping tools can also help you effectively filter out sensitive data.
8. Introduce rate limiting and throttling
Distributed denial-of-service, or DDoS, attacks overwhelm APIs and cause service disruptions. You can mitigate such threats by limiting rates and using content delivery networks.
Rate limiting can restrict the requests an IP makes within a certain timeframe. These limitations can mitigate instances when attackers attempt to overload your system with traffic. To do this, content delivery networks spread traffic out across different servers to even out the load.
9. Use gateways to centralize security controls
API gateways provide a protective layer by controlling and monitoring API access while supporting rate limiting, caching, and other essential functions.
These gateways make way for a centralized entry point that makes management and security easier for APIs. You can then add control policies for endpoints, create strong encryptions for communications with HTTPS or TLS, and protect against events like injection or cross-scripting attacks.
10. Test your APIs regularly
Regular vulnerability assessments can help you identify weak points that attackers could exploit. These tests ensure that configuration errors won’t expose the system to threats in both the API and supporting workloads.
Nuclei, an open-source vulnerability scanner, allows you to test APIs against known vulnerabilities and misconfigurations. This fast, customizable tool uses YAML templates to describe how to detect specific security vulnerabilities.
11. Conduct diligent API key management
# Example of using environment variables for API keys
import os
API_KEY = os.environ.get('API_KEY')API keys function like passwords for APIs, so you must safeguard them diligently. Rotate your API keys regularly to prevent unauthorized access and use short-lived tokens for added security.
You can also securely store your API keys using environment variables or secret management tools.
If you would like a more extensive overview of best practices for APIs, download Wiz’s cheat sheet for free.
API architecture components: Foundational terms
Understanding the key components of API architecture will help you implement stronger security measures. Below are the foundational API terms you should know:
Endpoints are specific paths or URLs to which API services provide access. Each endpoint links to a unique resource or function.
Methods specify the actions you can perform on an endpoint. Examples include GET, POST, PUT, and DELETE, which retrieve, submit, update, and delete data.
Data structures define the format and organization of the data the API sends or receives. It often uses JSON or XML formats.
Once you understand the basics of a functional API, you can review the risks associated with third-party connections.
Common API vulnerabilities and threats
Your organization should work to develop security that’s steps ahead of today’s vulnerabilities.
Below are some common threats that frequently affect APIs:
| Threats | Detection |
|---|---|
| Broken object-level authorization (BOLA) | BOLAs happen when an API doesn’t validate user access to specific resources. If security fails, attackers can compromise object IDs and access unauthorized data. |
| Security misconfigurations | If your team doesn’t configure API security settings correctly, your organization will be vulnerable to threats, such as unauthorized access or data exposure. |
| Excessive data exposure | If your APIs don’t protect authorization and permissions, they could expose more data than you want them to. Unauthorized users can then access this information. |
| Broken authentication | If your security fails to identify the correct user and roles, cyber attackers can bypass your security checks and access resources due to weak authentication mechanisms. |
| Using components with known vulnerabilities | Strategic attackers can target and breach your infrastructure if an API uses dated components or known vulnerabilities. |
Investing in a unified cloud security solution is the key to tackling these challenges.
For example, Wiz Defend—which is part of Wiz’s comprehensive cloud security platform—identifies and mitigates API security threats in real time. By integrating directly into cloud environments, Wiz Defend provides visibility into API vulnerabilities, detects anomalous behavior, and enforces security policies to prevent exploitation, all to secure APIs at scale and safeguard your cloud applications.
Not only is visibility important, but context is, too. For example, instead of showing a list of issues and potential fixes, Wiz Defend helps you see the most important problems. You can then tackle those pressing security concerns more efficiently.
Challenges in API security
Even with solutions to common threats and vulnerabilities in your toolbelt, you’ll still face these very real challenges that hinder API security:
Rapid development cycles often deprioritize security considerations as teams race to deliver features quickly.
Legacy systems introduce integration vulnerabilities with APIs because they lack modern security standards.
Cyber threats continuously evolve as malicious actors adapt their tactics in response to security measure improvements. Staying ahead requires teams to remain vigilant and adapt constantly.
API security: The need for consolidation
Part of the challenge of continual API security—and cloud security as a whole—is preventing a bloated stack that makes management, detection, and maintenance inefficient.
As Wiz co-founder and CEO Assaf Rapport stated in an interview with Amazon Web Services, “You cannot be efficient if [you have] multiple products, multiple technologies, that are actually not connected. [...] You need one solution. Consolidate—and only then [can you] be actually efficient and effective with your cloud security program.”
Thankfully, cloud-first security solutions can enable safer infrastructures with an efficient, holistic approach.
Real-world API security examples
Securing your APIs and strengthening your organization’s security posture requires a multifaceted approach and continual effort.
Let’s look at some examples of successful and unsuccessful API security:
1. When API security goes wrong
What do China, a cybersecurity company, and the United States Department of the Treasury have in common? A bad API.
On Dec. 30, 2024, the Department of the Treasury notified US representatives that Chinese state-backed hackers stole data from government workstations that same month. The department called it a “major cybersecurity incident” and, as of early 2025, is continuing to investigate how deeply the attack surface and exposure went.
What the department does know, though, is that it’s unfortunately connected to a failure from a cybersecurity company. BeyondTrust, the cybersecurity vendor in this case, had a compromised API key that hackers used to access and reset passwords.
In an official letter, the department’s assistant secretary for management, Aditi Hardikar, explained that “a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for the Treasury Departmental Offices (DO) end users.” She also assured readers that the vendor’s service is no longer in use.
What the letter doesn’t touch on is why so many organizations face avoidable threat exposures like this. Many security departments and companies want to adapt non-cloud-native cybersecurity solutions to the cloud—but cloud infrastructure is vastly different from and far more complex than traditional systems. This security gap opens doors to attackers who know how to exploit those vulnerabilities.
However, stakeholders and security teams can avoid similar situations to the one above by implementing continuous security testing and monitoring using the best practices we covered above. Organizations can build targeted security for the evolving technological landscape by leveraging solutions that are designed specifically for the cloud.
Below, you’ll learn how one data company chose cloud-first security to protect patient data.
2. When companies choose a proactive approach to API security
Artisan, an organization that safeguards thousands of patients’ fertility data, needed a way to improve its cloud posture to protect patient and financial data with a zero-tolerance security infrastructure. Improved cloud security is essential to its reputation and trust, so it was vital for Artisan to streamline compliance for SOC and HIPAA.
As a result, Artisan needed a complete solution to securely protect patients, give providers approved access, and safeguard user data across a cloud environment.
The company chose Wiz to strengthen how it protects data and deploys new products.
If you don't have layers of security measures in place, you’re not going to be at the table very long. We need to be ahead of the curve, and working with Wiz has helped us to do that.
Matthew MazzarielloDevelopment Manager, Artisan
Wiz provides Artisan with a holistic view of its cloud environment so the organization can understand its vulnerabilities. Wiz’s automated risk assessment also helps Artisan’s team prioritize security issues by their level of danger: high, medium, or low. This foundational, all-in-one cloud solution makes all the difference—especially with API security.
As a company with a technology-driven mission, Artisan has quickly embraced the cloud so providers can better care for their patients. As a result, stakeholders can confidently access approved information at the right place and time, as Wiz provides the security, tools, and information to empower security teams to keep it secure.
Artisan also makes security a core part of any development and business growth conversations. This improvement in API security and cloud posture has led the company to adopt and prioritize cloud security so it can lead the industry with the best possible experience and tools.
API security: Going beyond the basics
The API landscape changes quickly, so your team needs to adapt and adopt proactive approaches to consistently keep users safe, maintain data integrity, and remain accessible to the right people at the right time.
Adopting zero trust architecture, for example, prepares your organization for future threats. Zero trust architecture consistently ensures that all users have the correct privileges, no matter their device, time, and location. Multi-factor authentication is one such step toward safer access.
With this architecture, developers can provide:
Continuous authentication for each API request
Mutual TLS for service-to-service communication
PoLP application at the endpoint level
You can also secure your APIs with comprehensive logging and real-time monitoring. Both work together to give organizations a holistic defense against threats. For example, you can start by collecting log data from different systems and 24/7 insights from IT systems for proactive protection.
Additionally, your team can implement multi-factor authentication for improved log-in security. To accomplish this, developers can do the following:
Implement OAuth 2.0 or Open ID Connect
Add risk-based adaptive authentication for API access
Solutions like Wiz Defense provide these advantages, as well as incident response planning, all tailored to API-related threats. Plus, Wiz Defense complies with regulations like GDPR and CCPA so you can rest assured that you meet government standards. The platform also meets industry expectations, such as the OWASP API Security Top 10.
Wiz: Your solution for improved API security
Wiz can help your team secure APIs with continuous monitoring across all your cloud resources. This lets you pinpoint vulnerable areas that can threaten your deployments so you can prevent security breaches and timely setbacks when you need to patch them.
To learn more, sign up for a Wiz demo and get hands-on experience transforming your API security approach.
An agentless, contextual approach to API security
Learn how with Wiz, customers can now simply answer the question of where do I have exposed APIs in my environment with all the context associated with the execution environment.
Other security best practices you might be interested in: