Back to articles
API Security
Updated Jun 2, 2026

API Security Testing Checklist: Auth, Rate Limits, Schemas, and More

APIs are the circulatory system of modern applications, powering everything from mobile apps to cloud services. But this vital role also makes them prime targets for cyberattacks. A single vulnerability in your API can expose sensitive data, grant unauthorized access, or completely compromise your system. The stakes are incredibly high.

This guide isn't just another checklist; it's a comprehensive strategy for testing and securing your APIs against the sophisticated threats of today's digital landscape. We'll cover everything from authentication to business logic, providing practical insights and real-world examples to help you build resilient APIs.

Table of Contents

Why API Security is Non-Negotiable

Traditional web security used to be mostly about user interfaces. That stopped being true the moment single-page apps, microservices, and mobile-first products made the API the front door. The browser is just one client now, and attackers know it. They poke at endpoints looking for the cheap wins that turn into expensive incidents: unauthorized database access through injection or broken authorization, account takeovers built on weak auth or sloppy session handling, full system compromise through a misconfigured service, and plain old service disruption from unrestricted resource consumption. A proactive, thorough API security testing regimen is your best defense.

Getting Started: Fixing Common API Security Issues

Caught an API vulnerability in a scan? Here are immediate, high-impact fixes you should implement.

Add Authentication Middleware (Node.js/Express Example)

Ensure every sensitive endpoint requires authentication.

const express = require("express")
const app = express()

function requireAuth(req, res, next) {
  // Check for Authorization header
  const token = req.headers.authorization?.split(" ")[1]
  if (!token) {
    return res.status(401).json({ error: "Unauthorized: Missing token" })
  }
  // TODO: Validate token (e.g., JWT verification, database lookup)
  // If valid, attach user info to req.user and call next()
  // If invalid, return res.status(401).json({ error: 'Unauthorized: Invalid token' });
  next() // Placeholder - remove after implementing token validation
}

// Apply to all API routes
app.use("/api/*", requireAuth)

// Example protected route
app.get("/api/users/me", (req, res) => {
  res.json({ message: "User data for authenticated user" })
})

Implement Rate Limiting (Node.js/Express Example)

Prevent brute-force attacks and resource exhaustion.

const rateLimit = require("express-rate-limit")
const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes window
  max: 100, // Limit each IP to 100 requests per window
  message: "Too many requests from this IP, please try again after 15 minutes",
})

// Apply to all API routes, or specific critical ones
app.use("/api/", apiLimiter)

Enforce Input Validation (Node.js/Express Example)

Protect against injection attacks and ensure data integrity.

const { body, validationResult } = require("express-validator")
const app = express()
app.use(express.json()) // For parsing JSON request bodies

app.post(
  "/api/users",
  [
    // Validation chain for email and password
    body("email").isEmail().withMessage("Invalid email format"),
    body("password")
      .isLength({ min: 8 })
      .withMessage("Password must be at least 8 characters long")
      .matches(/[A-Z]/)
      .withMessage("Password must contain an uppercase letter")
      .matches(/[a-z]/)
      .withMessage("Password must contain a lowercase letter")
      .matches(/[0-9]/)
      .withMessage("Password must contain a number")
      .matches(/[^A-Za-z0-9]/)
      .withMessage("Password must contain a special character"),
  ],
  (req, res) => {
    const errors = validationResult(req)
    if (!errors.isEmpty()) {
      return res.status(400).json({ errors: errors.array() })
    }
    // If validation passes, process the request
    res
      .status(201)
      .json({ message: "User created successfully", user: req.body.email })
  }
)

Essential API Security Checklist (Quick Wins)

If you do nothing else this week, get the five basics in place. Authentication on every sensitive endpoint. Rate limiting to absorb brute-force and DoS noise. Input validation to shut down the easy injection paths. HTTPS only, so nothing rides the wire in clear text. And error responses that don't double as a free recon report for attackers. None of these are clever, but together they handle a huge share of what shows up in real scans.

Comprehensive API Security Testing Framework

A thorough API security testing strategy covers multiple layers, from authentication to business logic.

1. Authentication and Session Management

This layer verifies that only legitimate users can access your APIs and that their sessions are handled securely.

Testing Authentication Security

Start by sending requests with the wrong credentials: bad usernames, bad passwords, bad API keys. The API should answer with a consistent 401 Unauthorized or 403 Forbidden every time, with no helpful hints about which part was wrong. Then move on to tokens. Missing, expired, malformed, and revoked tokens should all be rejected with a clean 401, and for JWTs specifically you need to verify the signature, issuer, audience, and expiration, plus confirm that revoked tokens really are dead. Hammer the login endpoint to make sure rate limiting kicks in and accounts lock after repeated failures. If MFA is enabled, try every angle you can think of to skip the second factor and still hit sensitive operations.

Secure Session Management

Refresh tokens should rotate on every use so old ones stop working the moment they're spent. Keep access tokens short-lived, on the order of 15 minutes, so a stolen one has a tight blast radius. Don't store tokens in places that aren't designed for secrets, and that includes browser local storage. Finally, confirm that logging out or changing a password actually invalidates every active session, not just the one the user happens to be using.

2. Authorization and Access Control

This is where you confirm that authenticated users can only access the resources and perform the actions they are explicitly permitted to.

Insecure Direct Object Reference (IDOR) Testing

IDORs occur when an application exposes a direct reference to an internal implementation object (like a user ID or document name) and doesn't properly verify the user's authorization to access that object.

How to Test for IDORs:

# Scenario: User A tries to access User B's data (e.g., order history)
# Assume 'user-a-token' belongs to User A, and 'user-b-token' to User B.
# Resource IDs: 123 for User A's order, 456 for User B's order.

# 1. Access User A's order with User A's token (expected: success)
curl -H "Authorization: Bearer user-a-token" https://api.example.com/users/A_ID/orders/123

# 2. Access User B's order (456) using User A's token
# Expected: 403 Forbidden or 404 Not Found (to avoid leaking existence)
curl -H "Authorization: Bearer user-a-token" https://api.example.com/users/B_ID/orders/456

# Test with different user IDs in the URL path, query parameters, and request body.

Secure Implementation: The API must enforce ownership checks (or role-based access) for every resource access.

Role-Based Access Control (RBAC) & Privilege Escalation

Privilege escalation comes in two flavors and you should test for both. Horizontal escalation is one regular user touching another regular user's data, like editing a profile that isn't theirs. Vertical escalation is a regular user reaching for admin-only actions: hitting /admin routes, deleting users, flipping feature flags. Beyond that, walk through every API function with each role you support (admin, editor, viewer, whatever you've defined) and confirm that the role can only call what it's actually entitled to call.

3. Input Validation and Data Sanitization

Solid input validation is your first line of defense against most injection attacks, and it's also how you keep your data clean. Every request should be checked against a schema, ideally derived from your OpenAPI definition, so unexpected fields or shapes never make it past the front door. Inside that, validate types so numbers stay numbers and emails actually look like emails. Cap lengths to head off buffer overflows and oversized rows. Validate ranges and formats too: ages between 0 and 120, dates that parse, UUIDs that look like UUIDs. And before any user-supplied content gets stored or rendered, sanitize it so XSS and injection payloads are stripped or encoded into something harmless.

SQL/NoSQL Injection Testing

# Scenario: Probing for SQL Injection in a login or data update endpoint

# 1. Test a POST endpoint with common SQLi payloads in JSON body
curl -X POST https://api.example.com/users/update \
  -H "Content-Type: application/json" \
  -d '{"userId": "123 OR 1=1", "newEmail": "test@example.com"}'

# 2. Test a search query parameter
curl -X GET "https://api.example.com/products?category=electronics%27%20UNION%20SELECT%20null,table_name%20FROM%20information_schema.tables--"

# 3. NoSQL Injection (if using NoSQL databases like MongoDB)
# This payload might bypass authentication for some NoSQL databases
curl -X POST https://api.example.com/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$ne": null}, "password": {"$ne": null}}'

Cross-Site Scripting (XSS) via API

XSS is mostly a front-end problem, but APIs that return unfiltered user-generated content are the supply chain for it. Drop a <script>alert('XSS')</script> into anything that accepts text and see what comes back. If the payload is reflected verbatim in a response, or stored and then served to another client that renders it, you've found a real bug regardless of which tier technically does the rendering.

4. Rate Limiting and Abuse Prevention

Rate limiting is what stops the cheap, automated attacks: credential stuffing, scraping, resource exhaustion, basic DoS. Apply it to every endpoint that touches the public internet or does meaningful work, not just /login. Tune the thresholds to the endpoint, since something like login deserves five requests per minute while a read endpoint can comfortably allow a hundred. Allow short bursts but clamp down on sustained pressure, and combine IP-based limits with per-user limits so a single authenticated abuser can't hide behind a clean IP and a single shared NAT can't lock out a whole office.

To test it, fire requests at a sensitive endpoint as fast as you can and confirm the API switches over to 429 Too Many Requests once you cross the threshold. Then try to slip past: rotate IPs, spoof X-Forwarded-For if you're behind a proxy, switch user accounts. Anything that lets you keep going is a real gap.

5. Secure Error Handling and Logging

Sloppy error handling hands attackers a map of your system. The fix is simple but boring: return a generic message to the client ("Internal Server Error" is fine), and never leak stack traces, file paths, or database errors over the wire. Validation errors are the exception, since the user genuinely needs to know what to fix, but keep them descriptive in the user's terms ("Email format is invalid") and never in yours ("SQL constraint violation on email field"). On the server, log the real detail you'll need to debug, including timestamps, request context, and user IDs, but never passwords or tokens. Then wire those logs into alerts so suspicious patterns like a spike in 4xx or 5xx responses surface fast.

6. Transport Security and API Gateway Configuration

Secure communication channels are table stakes. Enforce HTTPS everywhere and redirect any HTTP request straight to its HTTPS equivalent. Stick to TLS 1.2 or 1.3, kill off weak cipher suites, and make sure certificates actually validate end to end.

APIs benefit from a few of the usual security headers too, including X-Content-Type-Options: nosniff and Strict-Transport-Security. Our Security Headers Guide goes deeper on the full set.

CORS is where most teams get into trouble. Allowlist specific trusted origins instead of using *, and never combine a wildcard with Access-Control-Allow-Credentials: true. Spell out the exact HTTP methods and headers you accept rather than allowing everything by default. And only allow credentials on cross-origin requests when you genuinely need them, since once they're on you've opened up a much wider attack surface.

7. Business Logic Testing

Business logic flaws are the ones automated scanners miss, because they're unique to how your app actually works. You have to test them by hand, and the trick is to think like a user who wants something they shouldn't have. Can someone skip ahead in a multi-step flow and land on payment confirmation without ever filling a cart? Can negative quantities or amounts go through? Can a user push the app into a state your code never expects, or fire concurrent requests that race past a balance check and double-spend? These are the bugs that cost real money, and they only show up when you go looking for them.

8. API Versioning and Deprecation

Versioning is a security concern as much as a compatibility one. Your gateway or app should validate the requested version up front, and unsupported versions should return a clean 400 or 404 rather than silently falling back to something old. When you deprecate a version, give consumers a real timeline and migration path. Don't leave old versions running forever with no security updates, because that's exactly where the next breach lives.

Aligning with OWASP API Security Top 10

The OWASP API Security Top 10 provides a critical framework for identifying and mitigating the most common and impactful API vulnerabilities. Your testing checklist should directly map to these risks:

  1. API1: Broken Object Level Authorization (BOLA): Test IDORs on every resource endpoint, ensuring granular ownership checks.
  2. API2: Broken Authentication: Rigorously test token validation, expiration, and all authentication bypass scenarios.
  3. API3: Broken Object Property Level Authorization (BOPLA): Test field-level access controls. Can a user modify or access properties they shouldn't (e.g., change isAdmin flag)?
  4. API4: Unrestricted Resource Consumption: Test rate limiting effectiveness, file upload limits, and potential DoS scenarios.
  5. API5: Broken Function Level Authorization: Verify role-based access controls for all API functions. Can a regular user call an admin function?
  6. API6: Unrestricted Access to Sensitive Business Flows: Test all business logic workflows for bypasses (e.g., payment flow manipulation).
  7. API7: Server Side Request Forgery (SSRF): If your API processes URLs, test for SSRF to prevent it from making unauthorized requests to internal or external systems.
  8. API8: Security Misconfiguration: Test security headers, CORS settings, debug modes, and default credentials.
  9. API9: Improper Inventory Management: Verify API versioning, proper handling of deprecated endpoints, and lack of undocumented/shadow APIs.
  10. API10: Unsafe Consumption of APIs: If your API consumes other APIs, ensure robust input validation, error handling, and security considerations for third-party data.

Continuous Security Monitoring

Testing tells you where you stand today. Monitoring tells you when that changes. Watch traffic for behavioral anomalies like sudden bursts at the login endpoint, abnormally large data pulls, or repeated auth failures from the same identity. Layer in attack-pattern detection so the obvious signatures, including SQL injection keywords, XSS payloads, and path traversal attempts, get flagged before they succeed. Pipe everything into a SIEM or a dedicated API security platform like Barrion, alerting on spikes in 4xx and 5xx responses, weird user agents and IPs, slow requests, and authorization denials. And on the way in, scrub the logs: passwords and tokens never belong in storage you'll later read.

Conclusion: Securing Your API Ecosystem

API security testing isn't a checkbox you tick once. It's a habit that runs alongside every release, because the threats keep moving and so does your code. Work through this checklist, bake it into your lifecycle, and you'll cover most of what shows up in real attacks.

Start with the basics, refine your limits, and keep adjusting as you learn. Automated tools give you breadth, manual testing gives you depth, and you need both: scanners catch the patterns, humans catch the logic flaws no scanner has ever heard of.

Ready to strengthen your API security posture? The Barrion dashboard provides continuous security monitoring, helping you detect and respond to API vulnerabilities effectively. For an initial check of your public-facing network security, try our Network Security tool.

Frequently asked questions

Q: How do I quickly test for IDOR?

A: Use two accounts. With account A, note a resource ID; with account B, request the same ID. Expect 403 if not owned.

Q: What should my default CORS config be?

A: Avoid *. Set exact origins and avoid credentials unless needed. Treat CORS like a routing control, not an auth feature.

Secure your apps before
someone else finds the gaps.

Trusted by dev teams and agencies for security monitoring and audit-ready reports.

Get started freeContact sales