Simple API Security Checklist

What this problem means

Your API is live. But is it secure? Many teams ship without basic protections: rate limiting, authentication, or proper key management. A simple checklist helps you catch the most common gaps.

Why this is dangerous

- Cost explosion: Unprotected APIs can be abused, racking up bills.

- Data access: Weak auth or leaked keys expose customer data.

- Downtime: Abuse can overwhelm your servers.

Real-world example

A startup shipped an API without rate limiting. A script was written to automate millions of requests. Within a week, the API was called 10M+ times. The resulting bills exceeded $50,000. A simple checklist would have caught the missing rate limit.

How to fix it

1. Rate limiting: Cap requests per IP or API key. Start with 100-500/min.

2. Keys in backend: Never put API keys in frontend code. Use a backend proxy.

3. HTTPS only: Enforce TLS. No HTTP.

4. Authentication: Require API keys or OAuth for sensitive endpoints.

5. Input validation: Validate and sanitize all inputs.

6. Billing alerts: Set up alerts at 50%, 80%, and 100% of expected spend.

Tools and configurations

- Cloudflare: Rate limiting, WAF, HTTPS.

- AWS API Gateway: Throttling, API keys.

- Backend proxy: For external API calls.

- Billing alerts: AWS Budgets, provider dashboards.

Common mistakes

- No rate limiting.

- API keys in frontend code.

- No billing alerts.

- Assuming "we're too small to be targeted."

Quick checklist

- [ ] Rate limiting per IP or API key

- [ ] All API keys in backend only

- [ ] HTTPS enforced

- [ ] Auth for sensitive endpoints

- [ ] Input validation

- [ ] Billing alerts configured