Need help with your APIs? I offer API discovery, governance & evangelism services. Explore services →
API Evangelist API Evangelist
Learnings
Guidance
Toolbox
Alignment
API Evangelist LLC

Security

Production Stop 21

Security runs through every stop on this lifecycle, but it also deserves its own attention. OWASP alignment, vulnerability scanning, and defense in depth protect both the provider and the consumer. I would rather build security in as a discipline than bolt it on after an incident.

Policies at this stop

Agent-Scoped Authentication

I require that APIs support authentication credentials scoped specifically to agents, so that an autonomous consumer acts under its own narrowly-bound identity with least-privilege scopes rather th...

Scopes (Authentication)

Require Oauth scopes meets standards set by authentication policies.

Data Privacy and PII Classified

I require that every schema property carrying personally identifiable information is explicitly classified as such in the API definition, so that PII is visible to governance, tooling, and downstre...

Operation Security

Requiring that all operational security meets the policy standards.

OpenAPI Security

Requiring that OpenAPI security meet the policy standards.

Abuse Prevention (Security)

Require that every API is designed to resist abuse and misuse, so I want throttling, quotas, anomaly detection, bot and scraping defenses, and sensible request limits treated as part of the contrac...

Authentication

Require details regarding how authentication is handled as part of API security.

Authorization (Security)

Require that every API defines and enforces authorization explicitly, so I want each operation to declare what scopes, roles, or permissions it demands and to check them on every request, not just ...

CORS (Security)

Require that every browser-facing API sets a deliberate, least-privilege CORS policy, so I want explicit allowed origins, methods, and headers rather than a lazy wildcard slapped on to make an erro...

Data Classification (Security)

Require that every API classifies the data it moves and applies protections that match that classification, so I want fields and payloads labeled as public, internal, confidential, or regulated, wi...

Input Validation (Security)

Require that every API validates all incoming data against its schema before acting on it, so I want types, formats, lengths, ranges, and required fields checked at the edge and anything that does ...

OWASP

Require that OWASP API security top ten has been applied as part of API security.

Testing

Require that security testing has occurred and publishing results for API security.

Transport (Security)

Require that every API is served exclusively over encrypted transport, so I want TLS enforced everywhere, plain HTTP either redirected or refused, weak protocols and ciphers disabled, and HSTS in p...

Security

Providing an overview of security practices for an API, including details covered as part of authentication and access management, but also security testing and certifications that matter to API co...