API Development & Security Testing Workflow: OWASP API Security Top 10 Guide

title: 'The Complete API Development & Security Testing Workflow: From Design to Production' date: '2025-01-07' excerpt: 'Learn the complete API development and security testing workflow used by DevOps teams and security engineers. This comprehensive guide covers API design, authentication, validation, security testing, deployment, and monitoring with practical tools and techniques aligned to OWASP API Security Top 10 2023.' author: 'InventiveHQ Security Team' category: 'Developer' tags:

API Security
API Development
OWASP
OAuth
JWT
Rate Limiting
API Testing
DevSecOps readingTime: 20 featured: true heroImage: "https://images.unsplash.com/photo-1558494949-ef010cbdcc31?w=1200&h=630&fit=crop"

Introduction

APIs have become the backbone of modern software architecture, powering everything from mobile apps to microservices to SaaS integrations. According to Salt Security's State of API Security Report, 94% of organizations experienced API security issues in production in 2024, with API attacks increasing 400% year-over-year. As Pynt's 2025 API security research reveals, APIs have rapidly become the number one attack vector for data breaches, with 31% of customer-facing APIs still lacking basic HTTPS encryption.

This guide walks you through the complete API development and security testing workflow used by DevOps teams, security engineers, and API developers worldwide. We'll cover the full lifecycle from initial design through production monitoring, with a strong focus on security at every stage—embodying the DevSecOps philosophy of "shift left" security.

The API Security Crisis of 2025

According to API7.ai's 2025 security analysis, the landscape has shifted dramatically:

31% of APIs lack HTTPS encryption - Basic transport security still missing
Shadow APIs proliferate - Undocumented endpoints exposing sensitive data
Business logic flaws - Traditional tools miss BOLA (Broken Object Level Authorization) and IDOR vulnerabilities
Credential stuffing attacks - Targeting authentication endpoints at scale
API abuse - Rate limiting bypasses and resource exhaustion attacks

Why This Workflow Matters

Modern API security requires a zero-trust security model, assuming no user or system should be trusted by default. This workflow integrates:

API Design & Requirements Gathering (1-2 days)
Authentication & Authorization Architecture (2-3 days)
API Development & Schema Validation (3-7 days)
Security Testing & Vulnerability Scanning (2-4 days)
Integration & Load Testing (1-3 days)
Deployment & Rate Limiting Configuration (1-2 days)
Production Monitoring & Continuous Testing (Ongoing)

Let's dive into each stage with practical techniques, security best practices, and tools aligned to the OWASP API Security Top 10 2023.

Stage 1: API Design & Requirements Gathering (1-2 days)

The design phase establishes your API's foundation—defining endpoints, data models, authentication requirements, and security boundaries. According to Postman's API-First Workflow, thinking about the API as one entity instead of treating code, definitions, and tests independently leads to better outcomes.

Step 1.1: Define API Purpose & Use Cases

Why: Clear requirements prevent scope creep and security oversights. Understanding who uses your API and how they use it drives authentication, authorization, and rate limiting decisions.

Key Questions:

Audience: Internal microservices? Third-party developers? Public consumers?
Data Sensitivity: PII, financial data, health records, or public information?
Traffic Patterns: Expected request volume (requests/minute, daily peaks)?
Compliance: GDPR, HIPAA, PCI-DSS, SOC 2 requirements?

Example Use Case Definition:

API: Customer Order Management API
Audience: Internal mobile app + partner integrations
Data: Customer PII, payment methods (PCI-DSS scope), order history
Traffic: 10,000 req/min peak, 2M requests/day
Compliance: PCI-DSS Level 1, GDPR (EU customers)

Step 1.2: Design RESTful Endpoints

Best Practices:

Resource-oriented URLs: /api/v1/customers/{id}/orders (not /api/v1/getCustomerOrders)
HTTP verb semantics: GET (read), POST (create), PUT/PATCH (update), DELETE (remove)
Versioning: Include version in URL (/v1/, /v2/) for backward compatibility
Pagination: Support ?limit=50&offset=100 or cursor-based pagination
Filtering: Enable query parameters like ?status=active&created_after=2025-01-01

Security Considerations:

Avoid exposing IDs: Use UUIDs instead of sequential integers to prevent enumeration
Limit response size: Enforce maximum page sizes to prevent resource exhaustion
No sensitive data in URLs: Never put passwords, tokens, or PII in query parameters (they're logged)

Tool: HTTP Request Builder Use our HTTP Request Builder to prototype API requests and test endpoint designs before writing code.

Step 1.3: Define Authentication & Authorization Requirements

Authentication Methods (Choose Based on Use Case):

Method	Use Case	Security Level	Tool
OAuth 2.0	Third-party integrations, delegated access	High	OAuth/OIDC Debugger
JWT (JSON Web Tokens)	Stateless microservices, mobile apps	High	JWT Decoder
API Keys	Server-to-server, simple integrations	Medium	Custom headers
mTLS (Mutual TLS)	Zero-trust environments, high security	Very High	Certificate-based

According to Knowi's REST API authentication guide, OAuth 2.0 with short-lived access tokens and multi-factor authentication is the most secure approach for 2025.

Tool: OAuth/OIDC Debugger Use our OAuth/OIDC Debugger to test OAuth flows, validate JWT tokens, generate PKCE challenges, and troubleshoot authentication issues.

Step 1.4: Document API Specification (OpenAPI/Swagger)

Why: OpenAPI (formerly Swagger) specifications serve as a contract between API providers and consumers, enabling automated validation, documentation, and code generation.

OpenAPI 3.1 Example:

openapi: 3.1.0
info:
  title: Customer Order API
  version: 1.0.0
  description: RESTful API for managing customer orders
servers:
  - url: https://api.example.com/v1
paths:
  /customers/{customerId}/orders:
    get:
      summary: Get customer orders
      security:
        - bearerAuth: []
      parameters:
        - name: customerId
          in: path
          required: true
          schema:
            type: string
            format: uuid
        - name: status
          in: query
          schema:
            type: string
            enum: [pending, shipped, delivered]
      responses:
        '200':
          description: Order list
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Order'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '429':
          $ref: '#/components/responses/TooManyRequests'

components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

  schemas:
    Order:
      type: object
      required: [orderId, customerId, status, total]
      properties:
        orderId:
          type: string
          format: uuid
        customerId:
          type: string
          format: uuid
        status:
          type: string
          enum: [pending, processing, shipped, delivered, cancelled]
        total:
          type: number
          format: currency
        items:
          type: array
          items:
            $ref: '#/components/schemas/OrderItem'

  responses:
    Unauthorized:
      description: Missing or invalid authentication token
      content:
        application/json:
          schema:
            type: object
            properties:
              error:
                type: string
                example: "Unauthorized: Invalid JWT token"

    TooManyRequests:
      description: Rate limit exceeded
      headers:
        X-RateLimit-Limit:
          schema:
            type: integer
          description: Request limit per hour
        X-RateLimit-Remaining:
          schema:
            type: integer
          description: Remaining requests in window
        Retry-After:
          schema:
            type: integer
          description: Seconds until limit resets
      content:
        application/json:
          schema:
            type: object
            properties:
              error:
                type: string
                example: "Rate limit exceeded. Retry after 3600 seconds."

Key Security Elements:

Security schemes defined (bearerAuth)
Input validation (UUID format, enums)
Error responses documented (401, 429)
Rate limiting headers exposed

Tool: JSON Validator Use our JSON Validator to validate OpenAPI specifications and ensure schema correctness.

Step 1.5: Threat Modeling & Risk Assessment

OWASP API Security Top 10 2023 Coverage:

Risk	Description	Mitigation Strategy
API1:2023 - Broken Object Level Authorization	Users can access objects they shouldn't	Validate user ownership of every object access
API2:2023 - Broken Authentication	Weak authentication mechanisms	OAuth 2.0 + JWT with short expiry
API3:2023 - Broken Object Property Level Authorization	Mass assignment vulnerabilities	Explicit allowlists for input fields
API4:2023 - Unrestricted Resource Consumption	No rate limiting, DoS potential	Rate limiting + quota enforcement
API5:2023 - Broken Function Level Authorization	Missing role checks	RBAC with least-privilege principle
API6:2023 - Unrestricted Access to Sensitive Business Flows	Business logic abuse	Workflow validation, anti-automation
API7:2023 - Server Side Request Forgery	API makes requests to internal resources	URL allowlisting, network segmentation
API8:2023 - Security Misconfiguration	Default credentials, verbose errors	Security hardening checklist
API9:2023 - Improper Inventory Management	Shadow APIs, deprecated endpoints	API discovery, documentation
API10:2023 - Unsafe Consumption of APIs	Trusting third-party API data	Validate all external inputs

Threat Modeling Exercise:

Threat: Credential Stuffing Attack on /auth/login endpoint
Attack Vector: Automated login attempts using leaked credentials
Impact: Account takeover, data breach
Likelihood: High (common attack pattern)
Mitigation:
  - Rate limit: 5 attempts per IP per hour
  - CAPTCHA after 3 failed attempts
  - Multi-factor authentication (MFA)
  - Monitor for failed login spikes

Stage 1 Output:

After 1-2 days of design work, you should have:

Clearly defined API use cases and requirements
RESTful endpoint design with versioning
Authentication/authorization strategy selected
Complete OpenAPI 3.1 specification
Threat model documenting top risks and mitigations
Compliance requirements mapped to design

Time Investment: 1-2 days Next Step: Proceed to Stage 2 to implement authentication and authorization architecture.

Stage 2: Authentication & Authorization Architecture (2-3 days)

Authentication verifies who you are, while authorization determines what you can do. According to AestheteSoft's modern authentication guide, the most secure approach in 2025 combines OAuth 2.0 with short-lived access tokens and multi-factor authentication.

Step 2.1: Implement OAuth 2.0 Authorization Server

OAuth 2.0 Grant Types (Choose Based on Client Type):

Grant Type	Use Case	Security Level
Authorization Code + PKCE	Web apps, mobile apps, SPAs	Highest (recommended)
Client Credentials	Server-to-server, microservices	High
Refresh Token	Long-lived sessions	High (with rotation)
~~Implicit Flow~~	~~Legacy SPAs~~	Deprecated (insecure)
~~Password Grant~~	~~First-party apps~~	Deprecated (phishing risk)

Authorization Code + PKCE Flow:

1. Client generates code_verifier (random 43-128 char string)
2. Client hashes code_verifier → code_challenge (SHA-256)
3. Client redirects user to authorization server:
   GET /authorize?
     response_type=code
     &client_id=abc123
     &redirect_uri=https://app.example.com/callback
     &scope=read:orders write:orders
     &state=xyz789
     &code_challenge=HASH_OF_VERIFIER
     &code_challenge_method=S256

4. User authenticates and consents
5. Authorization server redirects back:
   GET /callback?code=AUTH_CODE&state=xyz789

6. Client exchanges code for token:
   POST /token
   {
     "grant_type": "authorization_code",
     "code": "AUTH_CODE",
     "redirect_uri": "https://app.example.com/callback",
     "client_id": "abc123",
     "code_verifier": "ORIGINAL_VERIFIER"
   }

7. Authorization server validates code_challenge and returns:
   {
     "access_token": "eyJhbGciOiJSUzI1NiIs...",
     "token_type": "Bearer",
     "expires_in": 3600,
     "refresh_token": "def456",
     "scope": "read:orders write:orders"
   }

Security Best Practices:

Always use PKCE - Even for confidential clients (prevents authorization code interception)
Short-lived access tokens - 15 minutes to 1 hour maximum
Refresh token rotation - Issue new refresh token on each use, invalidate old one
State parameter - Random hash to prevent CSRF attacks
Scope validation - Principle of least privilege

Tool: OAuth/OIDC Debugger Use our OAuth/OIDC Debugger to:

Generate PKCE code challenge/verifier pairs
Decode and validate access tokens
Test authorization flows
Troubleshoot common errors (invalid_grant, invalid_scope)

Step 2.2: JWT Token Design & Validation

JWT Structure:

Header.Payload.Signature

Header (Base64URL encoded):
{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "key-2025-01"
}

Payload (Base64URL encoded):
{
  "iss": "https://auth.example.com",
  "sub": "user-12345",
  "aud": "api.example.com",
  "exp": 1736278800,
  "iat": 1736275200,
  "scope": "read:orders write:orders",
  "roles": ["customer"],
  "email": "[email protected]"
}

Signature (RS256 with private key):
RSASHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), privateKey)

Critical JWT Security Practices (2025):

According to Curity's JWT best practices:

Use Strong Algorithms
- ✅ RS256 (RSA with SHA-256) - Asymmetric, recommended
- ✅ ES256 (ECDSA with SHA-256) - Asymmetric, efficient
- ❌ HS256 (HMAC with SHA-256) - Symmetric, shared secret risk
- ❌ None - Never accept unsigned tokens

Validate Everything

// Server-side validation (Node.js example)
const jwt = require('jsonwebtoken');
const jwksClient = require('jwks-rsa');

const client = jwksClient({
  jwksUri: 'https://auth.example.com/.well-known/jwks.json'
});

function getKey(header, callback) {
  client.getSigningKey(header.kid, (err, key) => {
    const signingKey = key.publicKey || key.rsaPublicKey;
    callback(null, signingKey);
  });
}

function validateToken(token) {
  return new Promise((resolve, reject) => {
    jwt.verify(token, getKey, {
      audience: 'api.example.com',
      issuer: 'https://auth.example.com',
      algorithms: ['RS256']
    }, (err, decoded) => {
      if (err) reject(err);
      else resolve(decoded);
    });
  });
}

Never Store Sensitive Data in Tokens
- ❌ Passwords, credit cards, SSNs
- ❌ PII beyond what's necessary for authorization
- ✅ User ID, roles, scopes, email (non-sensitive identifier)
Short Expiration Times
- Access tokens: 15-60 minutes
- Refresh tokens: 7-30 days (with rotation)
- ID tokens: 5-10 minutes
Secure Storage
- Web apps: HttpOnly, Secure cookies (not localStorage)
- Mobile apps: Platform keychain (iOS Keychain, Android Keystore)
- SPAs: In-memory storage + refresh token in HttpOnly cookie

Tool: JWT Decoder Use our JWT Decoder to:

Decode and inspect JWT tokens
Validate signatures and claims
Check expiration times
Identify security issues (weak algorithms, expired tokens)

Tool: Base64 Encoder/Decoder Use our Base64 Encoder/Decoder to manually inspect JWT payload contents.

Step 2.3: Implement Role-Based Access Control (RBAC)

RBAC Hierarchy:

User → Roles → Permissions → Resources

Example:
user-12345 → ["customer"] → ["read:orders", "write:orders"] → /customers/12345/orders
admin-user → ["admin"] → ["*"] → /*
partner-api → ["partner"] → ["read:orders"] → /partners/ABC/customers/*/orders

Authorization Middleware (Express.js Example):

// middleware/authorization.js
function requirePermission(permission) {
  return async (req, res, next) => {
    try {
      // Extract JWT from Authorization header
      const token = req.headers.authorization?.split(' ')[1];
      if (!token) {
        return res.status(401).json({ error: 'Unauthorized: Missing token' });
      }

      // Validate JWT (from Step 2.2)
      const decoded = await validateToken(token);

      // Check if user has required permission
      const userPermissions = decoded.scope.split(' ');
      if (!userPermissions.includes(permission) && !userPermissions.includes('*')) {
        return res.status(403).json({
          error: 'Forbidden: Insufficient permissions',
          required: permission,
          granted: userPermissions
        });
      }

      // Attach user info to request
      req.user = decoded;
      next();
    } catch (error) {
      return res.status(401).json({ error: 'Unauthorized: Invalid token' });
    }
  };
}

// Usage in routes
app.get('/customers/:id/orders',
  requirePermission('read:orders'),
  async (req, res) => {
    // Additional BOLA check (OWASP API1:2023)
    if (req.user.sub !== req.params.id && !req.user.roles.includes('admin')) {
      return res.status(403).json({ error: 'Forbidden: Cannot access other users\' orders' });
    }

    // Fetch orders...
  }
);

BOLA (Broken Object Level Authorization) Prevention:

According to Pynt's API security guide, BOLA is the #1 API vulnerability. Always validate object ownership:

// ❌ VULNERABLE: Only checks authentication
app.get('/orders/:orderId', authenticated, async (req, res) => {
  const order = await db.getOrder(req.params.orderId);
  res.json(order); // Returns ANY order, even if not owned by user
});

// ✅ SECURE: Validates ownership
app.get('/orders/:orderId', authenticated, async (req, res) => {
  const order = await db.getOrder(req.params.orderId);

  if (order.customerId !== req.user.sub && !req.user.roles.includes('admin')) {
    return res.status(403).json({ error: 'Forbidden: Order not found' });
  }

  res.json(order);
});

Step 2.4: API Key Management (For Server-to-Server)

API Key Best Practices:

Generate Cryptographically Random Keys

# 32-byte key, Base64 URL-safe encoded
openssl rand -base64 32 | tr -d "=+/" | cut -c1-43

Rotate Keys Regularly
- Minimum: Every 90 days
- After security incidents
- When team members leave
- Automate rotation to minimize human error

Scope Keys to Specific Resources

{
  "api_key": "ak_live_7Fn8kJHG9KLp2mN4o5P6q7R8s9T0u1V2",
  "name": "Partner XYZ Integration",
  "scopes": ["read:orders"],
  "rate_limit": "1000/hour",
  "allowed_ips": ["203.0.113.0/24"],
  "created_at": "2025-01-07T10:00:00Z",
  "expires_at": "2025-04-07T10:00:00Z"
}

Never Log API Keys

// ❌ BAD: Logs full API key
logger.info(`Request from API key: ${req.headers['x-api-key']}`);

// ✅ GOOD: Logs only last 4 characters
const apiKey = req.headers['x-api-key'];
const maskedKey = `****${apiKey.slice(-4)}`;
logger.info(`Request from API key: ${maskedKey}`);

Tool: Hash Generator Use our Hash Generator to securely hash API keys for database storage.

Step 2.5: Multi-Factor Authentication (MFA)

MFA Implementation:

TOTP (Time-Based One-Time Password): Google Authenticator, Authy
SMS/Email OTP: Fallback option (less secure due to SIM swapping)
WebAuthn/FIDO2: Hardware keys (YubiKey) - most secure
Push notifications: Duo, Okta Verify

MFA Flow:

1. User provides username + password → Primary authentication
2. System generates MFA challenge → Send TOTP code request
3. User provides TOTP code → Verify against shared secret
4. If valid → Issue access token with mfa_verified claim

Stage 2 Output:

After 2-3 days, you should have:

OAuth 2.0 authorization server configured
JWT token generation and validation implemented
RBAC with permission-based authorization
API key management system (if applicable)
MFA integration (optional but recommended)
BOLA prevention in all object access endpoints

Time Investment: 2-3 days Next Step: Proceed to Stage 3 for API development and schema validation.

Stage 3: API Development & Schema Validation (3-7 days)

With authentication and authorization in place, you can now build API endpoints with confidence that only authorized users can access protected resources.

Step 3.1: Input Validation & Sanitization

Why: According to the OWASP API Security Top 10, API3:2023 - Broken Object Property Level Authorization (mass assignment) and API10:2023 - Unsafe Consumption of APIs both stem from insufficient input validation.

Validation Layers:

Schema Validation (OpenAPI Spec)
Type Checking (TypeScript, Pydantic, Joi)
Business Logic Validation
Sanitization (SQL injection, XSS prevention)

Example: Express.js + Joi Validation

const Joi = require('joi');

// Define validation schema
const createOrderSchema = Joi.object({
  customerId: Joi.string().uuid().required(),
  items: Joi.array().items(
    Joi.object({
      productId: Joi.string().uuid().required(),
      quantity: Joi.number().integer().min(1).max(100).required(),
      price: Joi.number().positive().precision(2).required()
    })
  ).min(1).max(50).required(), // Prevent resource exhaustion
  shippingAddress: Joi.object({
    street: Joi.string().max(200).required(),
    city: Joi.string().max(100).required(),
    state: Joi.string().length(2).uppercase().required(),
    zipCode: Joi.string().pattern(/^\d{5}(-\d{4})?$/).required()
  }).required(),
  paymentMethod: Joi.string().valid('credit_card', 'paypal', 'bank_transfer').required()
});

// Validation middleware
function validate(schema) {
  return (req, res, next) => {
    const { error, value } = schema.validate(req.body, {
      abortEarly: false, // Return all errors
      stripUnknown: true  // Remove unknown fields (prevent mass assignment)
    });

    if (error) {
      const errors = error.details.map(detail => ({
        field: detail.path.join('.'),
        message: detail.message
      }));

      return res.status(400).json({
        error: 'Validation failed',
        details: errors
      });
    }

    req.validatedBody = value;
    next();
  };
}

// Usage
app.post('/orders',
  requirePermission('write:orders'),
  validate(createOrderSchema),
  async (req, res) => {
    // req.validatedBody contains only validated fields
    const order = await createOrder(req.validatedBody);
    res.status(201).json(order);
  }
);

Mass Assignment Prevention:

// ❌ VULNERABLE: Accepts any field from request body
app.patch('/users/:id', async (req, res) => {
  await db.users.update(req.params.id, req.body);
  // Attacker could send: { "role": "admin", "isVerified": true }
});

// ✅ SECURE: Explicit allowlist of updatable fields
const updateUserSchema = Joi.object({
  firstName: Joi.string().max(100),
  lastName: Joi.string().max(100),
  email: Joi.string().email()
  // role, isVerified NOT allowed
}).min(1); // At least one field required

app.patch('/users/:id',
  requirePermission('write:profile'),
  validate(updateUserSchema),
  async (req, res) => {
    // Only firstName, lastName, email can be updated
    await db.users.update(req.params.id, req.validatedBody);
  }
);

Tool: JSON Validator Use our JSON Validator to test request payloads against JSON Schema definitions during development.

Step 3.2: Implement Rate Limiting & Throttling

Why: OWASP API4:2023 - Unrestricted Resource Consumption and DoS prevention require rate limiting. According to API7.ai's rate limiting guide, rate limiting restricts the number of requests, while throttling slows down excessive traffic.

Rate Limiting Strategies:

Algorithm	Use Case	Pros	Cons
Fixed Window	Simple APIs, low traffic	Easy to implement	Traffic spikes at window reset
Sliding Window	General purpose	Smooth rate limiting	More memory overhead
Token Bucket	Burst-tolerant APIs	Allows traffic bursts	Complex configuration
Leaky Bucket	Consistent rate enforcement	Smooth traffic flow	Rejects bursts

Implementation: Express Rate Limit Middleware

const rateLimit = require('express-rate-limit');
const RedisStore = require('rate-limit-redis');
const Redis = require('ioredis');

const redisClient = new Redis({
  host: process.env.REDIS_HOST,
  port: 6379
});

// Global rate limit: 1000 requests per hour per IP
const globalLimiter = rateLimit({
  store: new RedisStore({
    client: redisClient,
    prefix: 'rl:global:'
  }),
  windowMs: 60 * 60 * 1000, // 1 hour
  max: 1000,
  message: {
    error: 'Too many requests from this IP, please try again later.',
    retryAfter: '3600 seconds'
  },
  standardHeaders: true, // Return rate limit info in headers
  legacyHeaders: false,
  handler: (req, res) => {
    res.status(429).json({
      error: 'Rate limit exceeded',
      limit: req.rateLimit.limit,
      remaining: req.rateLimit.remaining,
      resetTime: new Date(req.rateLimit.resetTime).toISOString()
    });
  }
});

// Stricter limit for authentication endpoints (prevent credential stuffing)
const authLimiter = rateLimit({
  store: new RedisStore({
    client: redisClient,
    prefix: 'rl:auth:'
  }),
  windowMs: 60 * 60 * 1000, // 1 hour
  max: 5, // Only 5 login attempts per hour
  skipSuccessfulRequests: true, // Don't count successful logins
  message: {
    error: 'Too many failed login attempts. Please try again in 1 hour.',
    retryAfter: '3600 seconds'
  }
});

// Per-user rate limit (based on authenticated user)
const userLimiter = rateLimit({
  store: new RedisStore({
    client: redisClient,
    prefix: 'rl:user:'
  }),
  windowMs: 60 * 60 * 1000,
  max: 10000, // Authenticated users get higher limits
  keyGenerator: (req) => req.user?.sub || req.ip, // Use user ID or fall back to IP
});

// Apply rate limiters
app.use('/api/', globalLimiter);
app.post('/auth/login', authLimiter, loginHandler);
app.use('/api/', requirePermission('*'), userLimiter);

Rate Limit Response Headers:

HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1736278800
Retry-After: 3600

{
  "error": "Rate limit exceeded",
  "limit": 1000,
  "remaining": 0,
  "resetTime": "2025-01-07T12:00:00Z"
}

Tool: Rate Limit Calculator Use our Rate Limit Calculator to:

Model API throttling budgets
Calculate optimal per-client limits
Estimate queue depth for different limits
Avoid 429 errors in production

Step 3.3: Error Handling & Logging

Security-Conscious Error Responses:

// ❌ INSECURE: Exposes internal details
app.get('/users/:id', async (req, res) => {
  try {
    const user = await db.query('SELECT * FROM users WHERE id = $1', [req.params.id]);
    res.json(user);
  } catch (error) {
    res.status(500).json({
      error: error.message, // "relation 'users' does not exist"
      stack: error.stack     // Full stack trace with file paths
    });
  }
});

// ✅ SECURE: Generic error messages to users, detailed logging internally
app.get('/users/:id', async (req, res) => {
  try {
    const user = await db.query('SELECT * FROM users WHERE id = $1', [req.params.id]);

    if (!user) {
      return res.status(404).json({
        error: 'User not found'
      });
    }

    res.json(user);
  } catch (error) {
    // Log full error details internally
    logger.error('Database error in GET /users/:id', {
      errorMessage: error.message,
      errorStack: error.stack,
      userId: req.params.id,
      requestId: req.id
    });

    // Return generic error to user
    res.status(500).json({
      error: 'Internal server error',
      requestId: req.id // For support troubleshooting
    });
  }
});

Structured Logging (JSON Format):

const winston = require('winston');

const logger = winston.createLogger({
  level: 'info',
  format: winston.format.json(),
  defaultMeta: { service: 'order-api' },
  transports: [
    new winston.transports.File({ filename: 'error.log', level: 'error' }),
    new winston.transports.File({ filename: 'combined.log' })
  ]
});

// Log API requests
app.use((req, res, next) => {
  const start = Date.now();

  res.on('finish', () => {
    const duration = Date.now() - start;

    logger.info('API request', {
      method: req.method,
      path: req.path,
      statusCode: res.statusCode,
      durationMs: duration,
      userId: req.user?.sub,
      ip: req.ip,
      userAgent: req.headers['user-agent']
    });
  });

  next();
});

Tool: JSON Formatter Use our JSON Formatter to parse and analyze structured JSON logs during debugging.

Tool: Regex Tester Use our Regex Tester to extract patterns from logs (e.g., error messages, request IDs).

Step 3.4: Data Serialization & Response Filtering

Prevent Data Leakage:

// ❌ INSECURE: Exposes all database fields
app.get('/users/:id', async (req, res) => {
  const user = await db.users.findById(req.params.id);
  res.json(user);
  // Returns: { id, email, passwordHash, creditCardLast4, ssn, ... }
});

// ✅ SECURE: Explicit response serialization
class UserSerializer {
  static toPublic(user) {
    return {
      id: user.id,
      firstName: user.firstName,
      lastName: user.lastName,
      email: user.email,
      createdAt: user.createdAt
      // passwordHash, ssn, creditCardLast4 NOT included
    };
  }

  static toAdmin(user) {
    return {
      ...this.toPublic(user),
      lastLoginAt: user.lastLoginAt,
      ipAddress: user.lastLoginIp,
      accountStatus: user.status
      // Still no passwordHash or sensitive PII
    };
  }
}

app.get('/users/:id', async (req, res) => {
  const user = await db.users.findById(req.params.id);

  if (req.user.roles.includes('admin')) {
    res.json(UserSerializer.toAdmin(user));
  } else {
    res.json(UserSerializer.toPublic(user));
  }
});

Step 3.5: API Versioning Strategy

Versioning Approaches:

Method	Example	Pros	Cons
URL Path	`/v1/orders`, `/v2/orders`	Clear, easy to route	URL pollution
Header	`Accept: application/vnd.api+json; version=2`	Clean URLs	Less discoverable
Query Param	`/orders?version=2`	Flexible	Can be forgotten

Recommended: URL Path Versioning

// v1/orders.js
router.get('/v1/orders/:id', async (req, res) => {
  const order = await db.orders.findById(req.params.id);
  res.json({
    id: order.id,
    status: order.status,
    total: order.totalAmount // Old field name
  });
});

// v2/orders.js (Breaking change: renamed totalAmount → total)
router.get('/v2/orders/:id', async (req, res) => {
  const order = await db.orders.findById(req.params.id);
  res.json({
    id: order.id,
    status: order.status,
    total: order.totalAmount,
    currency: order.currency, // New field
    items: order.items // New field
  });
});

Deprecation Process:

Announce deprecation 6-12 months in advance
Add Deprecation header to responses
Monitor v1 usage metrics
Provide migration guide
Sunset v1 after grace period

HTTP/1.1 200 OK
Deprecation: true
Sunset: Wed, 01 Jul 2025 00:00:00 GMT
Link: <https://api.example.com/docs/v1-to-v2-migration>; rel="deprecation"

Stage 3 Output:

After 3-7 days, you should have:

Schema validation on all endpoints (Joi, JSON Schema)
Rate limiting configured (global, per-endpoint, per-user)
Secure error handling (generic external, detailed internal)
Structured logging (JSON format with context)
Response serialization preventing data leakage
API versioning strategy implemented

Time Investment: 3-7 days Next Step: Proceed to Stage 4 for security testing and vulnerability scanning.

Stage 4: Security Testing & Vulnerability Scanning (2-4 days)

With your API built, it's time for comprehensive security testing. According to Pynt's API security testing guide, combining DAST results with manual penetration testing provides the most comprehensive coverage.

Step 4.1: Automated Security Scanning (DAST)

Dynamic Application Security Testing (DAST) Tools:

Tool	Use Case	Strengths
OWASP ZAP	Open-source, general-purpose	Free, extensive, active community
Burp Suite	Professional penetration testing	Deep inspection, manual testing
Postman	API testing with security checks	Developer-friendly, CI/CD integration
Nuclei	Template-based vulnerability scanning	Fast, customizable templates

OWASP ZAP Automated Scan:

# Docker-based automated scan
docker run -v $(pwd):/zap/wrk/:rw \
  -t ghcr.io/zaproxy/zaproxy:stable \
  zap-api-scan.py \
  -t https://api.example.com/openapi.json \
  -f openapi \
  -r zap-report.html

# Scan includes:
# - SQL injection
# - XSS (cross-site scripting)
# - Authentication bypass
# - CSRF (cross-site request forgery)
# - Directory traversal
# - XXE (XML external entity)

Postman Security Testing:

// Collection pre-request script: Generate JWT for authenticated tests
const jwtToken = pm.collectionVariables.get('jwt_token');
if (!jwtToken) {
  pm.sendRequest({
    url: 'https://api.example.com/auth/login',
    method: 'POST',
    header: { 'Content-Type': 'application/json' },
    body: {
      mode: 'raw',
      raw: JSON.stringify({
        username: pm.environment.get('test_username'),
        password: pm.environment.get('test_password')
      })
    }
  }, (err, res) => {
    pm.collectionVariables.set('jwt_token', res.json().access_token);
  });
}

// Test: BOLA vulnerability check
pm.test('BOLA: Cannot access other users\' orders', () => {
  pm.sendRequest({
    url: 'https://api.example.com/v1/orders/other-user-order-id',
    method: 'GET',
    header: {
      'Authorization': `Bearer ${pm.collectionVariables.get('jwt_token')}`
    }
  }, (err, res) => {
    pm.expect(res.code).to.be.oneOf([403, 404]); // Should NOT return 200
  });
});

// Test: Mass assignment vulnerability
pm.test('Mass Assignment: Cannot elevate privileges', () => {
  pm.sendRequest({
    url: 'https://api.example.com/v1/users/me',
    method: 'PATCH',
    header: {
      'Authorization': `Bearer ${pm.collectionVariables.get('jwt_token')}`,
      'Content-Type': 'application/json'
    },
    body: {
      mode: 'raw',
      raw: JSON.stringify({
        firstName: 'John',
        role: 'admin' // Attempt privilege escalation
      })
    }
  }, (err, res) => {
    pm.expect(res.code).to.be.oneOf([400, 403]); // Should reject
    const user = res.json();
    pm.expect(user.role).to.not.equal('admin');
  });
});

// Test: SQL injection
pm.test('SQL Injection: Properly sanitizes input', () => {
  pm.sendRequest({
    url: 'https://api.example.com/v1/orders?status=delivered\' OR \'1\'=\'1',
    method: 'GET',
    header: {
      'Authorization': `Bearer ${pm.collectionVariables.get('jwt_token')}`
    }
  }, (err, res) => {
    pm.expect(res.code).to.be.oneOf([400, 200]); // Should handle gracefully
    if (res.code === 200) {
      // Should not return all orders (SQL injection would bypass status filter)
      const orders = res.json();
      orders.forEach(order => {
        pm.expect(order.status).to.equal('delivered');
      });
    }
  });
});

Step 4.2: Authentication & Authorization Testing

JWT Security Tests:

Tool: JWT Decoder Use our JWT Decoder to validate JWT tokens during testing.

# Test 1: None algorithm attack
# Try to bypass signature verification by changing algorithm to "none"
curl -X GET https://api.example.com/v1/orders \
  -H "Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJ1c2VyLTEyMyIsInJvbGUiOiJhZG1pbiJ9."
# Expected: 401 Unauthorized (server must reject "none" algorithm)

# Test 2: Expired token
curl -X GET https://api.example.com/v1/orders \
  -H "Authorization: Bearer <expired_token>"
# Expected: 401 Unauthorized with error "Token expired"

# Test 3: Tampered payload
# Modify JWT payload (change user ID) without valid signature
curl -X GET https://api.example.com/v1/orders \
  -H "Authorization: Bearer <tampered_token>"
# Expected: 401 Unauthorized with error "Invalid signature"

# Test 4: Missing required claims
curl -X GET https://api.example.com/v1/orders \
  -H "Authorization: Bearer <token_missing_exp>"
# Expected: 401 Unauthorized

OAuth Flow Testing:

Tool: OAuth/OIDC Debugger Use our OAuth/OIDC Debugger to test OAuth flows and troubleshoot authentication issues.

# Test 1: CSRF attack (missing or invalid state parameter)
GET /authorize?
  response_type=code
  &client_id=abc123
  &redirect_uri=https://attacker.com/callback
  &state=<missing_or_predictable>
# Expected: Reject or generate unpredictable state

# Test 2: Redirect URI manipulation
GET /authorize?
  response_type=code
  &client_id=abc123
  &redirect_uri=https://attacker.com/steal-code
# Expected: Reject (redirect_uri must match registered URI)

# Test 3: PKCE bypass attempt
POST /token
{
  "grant_type": "authorization_code",
  "code": "AUTH_CODE",
  "redirect_uri": "https://app.example.com/callback",
  "client_id": "abc123"
  // Missing code_verifier - attempt to bypass PKCE
}
# Expected: 400 Bad Request "code_verifier required"

Step 4.3: Input Validation & Injection Testing

SQL Injection Tests:

# Test 1: Classic SQL injection
curl -X GET "https://api.example.com/v1/[email protected]' OR '1'='1"
# Expected: 400 Bad Request or sanitized query

# Test 2: Union-based injection
curl -X GET "https://api.example.com/v1/products?id=1 UNION SELECT password FROM users--"
# Expected: 400 Bad Request

# Test 3: Blind SQL injection
curl -X GET "https://api.example.com/v1/orders?id=1 AND SLEEP(10)--"
# Expected: Response within normal time (<1s), not delayed 10 seconds

NoSQL Injection (MongoDB):

# Test: NoSQL injection via JSON
curl -X POST https://api.example.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": {"$ne": null},
    "password": {"$ne": null}
  }'
# Expected: 400 Bad Request (reject non-string values)

XSS (Cross-Site Scripting):

# Test: Stored XSS
curl -X POST https://api.example.com/v1/comments \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "text": "<script>alert(\"XSS\")</script>"
  }'
# Expected: 400 Bad Request or sanitized storage

# Verify: Retrieve comment
curl -X GET https://api.example.com/v1/comments/123
# Expected: Script tags escaped or removed in response

Tool: HTML Entity Encoder Use our HTML Entity Encoder to test XSS prevention and verify output encoding.

Step 4.4: Rate Limiting & DoS Testing

Rate Limit Bypass Attempts:

# Test 1: IP rotation bypass
for i in {1..100}; do
  curl -X POST https://api.example.com/auth/login \
    -H "X-Forwarded-For: 192.0.2.$i" \
    -d '{"username":"test","password":"wrong"}'
done
# Expected: Server must use actual IP, not X-Forwarded-For (unless behind trusted proxy)

# Test 2: Rate limit header verification
curl -X GET https://api.example.com/v1/orders -i
# Expected response headers:
# X-RateLimit-Limit: 1000
# X-RateLimit-Remaining: 999
# X-RateLimit-Reset: 1736278800

# Test 3: Excessive requests trigger 429
for i in {1..1001}; do
  curl -X GET https://api.example.com/v1/orders \
    -H "Authorization: Bearer <token>"
done
# Expected: Request 1001 returns 429 Too Many Requests

Resource Exhaustion Tests:

# Test 1: Large payload upload
dd if=/dev/zero of=largefile.bin bs=1M count=1000 # 1GB file
curl -X POST https://api.example.com/v1/uploads \
  -H "Authorization: Bearer <token>" \
  -F "[email protected]"
# Expected: 413 Payload Too Large (server enforces size limit)

# Test 2: Pagination limit bypass
curl -X GET "https://api.example.com/v1/orders?limit=999999"
# Expected: Enforce max limit (e.g., 100), return 400 or capped results

# Test 3: Nested JSON depth attack
curl -X POST https://api.example.com/v1/data \
  -H "Content-Type: application/json" \
  -d '{"a":{"a":{"a":{"a":...}}}}}' # Deeply nested 1000+ levels
# Expected: 400 Bad Request (reject excessive nesting depth)

Step 4.5: HTTPS & TLS Configuration Testing

SSL/TLS Security Checks:

Tool: SSL Checker Use our SSL Checker tool to verify certificate chains, protocol support, and configuration issues.

# Test with Qualys SSL Labs
curl "https://api.ssllabs.com/api/v3/analyze?host=api.example.com"

# Expected Results:
# ✅ Grade: A or A+
# ✅ Certificate: Valid, not expired, proper chain
# ✅ Protocols: TLS 1.2, TLS 1.3 enabled
# ❌ Protocols: SSLv2, SSLv3, TLS 1.0, TLS 1.1 disabled
# ✅ Cipher Suites: Strong ciphers only (AES-GCM, ChaCha20)
# ❌ Cipher Suites: Weak ciphers disabled (RC4, 3DES, CBC)
# ✅ HSTS: Enabled with max-age ≥ 31536000
# ✅ Certificate Transparency: CT logs present

Tool: X.509 Certificate Decoder Use our X.509 Certificate Decoder to analyze SSL/TLS certificates.

Tool: Certificate CSR Generator Use our Certificate CSR Generator to generate CSRs and convert between certificate formats.

HTTP Security Headers:

Tool: Security Headers Analyzer Use our Security Headers Analyzer to test HTTP security headers and get security scores.

curl -I https://api.example.com/v1/orders

# Expected Headers:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'none'
Referrer-Policy: no-referrer
Permissions-Policy: geolocation=(), microphone=(), camera=()

Tool: CSP Policy Generator Use our CSP Policy Generator to generate Content Security Policy headers with nonce/hash support.

Stage 4 Output:

After 2-4 days of security testing, you should have:

DAST scan completed (OWASP ZAP, Burp Suite)
Authentication vulnerabilities tested (JWT, OAuth)
Input validation verified (SQL injection, XSS, NoSQL injection)
Rate limiting and DoS protections validated
HTTPS/TLS configuration assessed (A+ grade)
Security headers configured and tested
Vulnerability report with remediation plan

Time Investment: 2-4 days Next Step: Proceed to Stage 5 for integration and load testing.

Stage 5: Integration & Load Testing (1-3 days)

After security testing, validate that your API performs reliably under real-world conditions and integrates correctly with downstream systems.

Step 5.1: End-to-End Integration Testing

Why: According to Postman's API testing guide, end-to-end tests validate key user journeys that may involve multiple endpoints and APIs.

Example: Order Placement Flow

// Postman Collection: E2E - Order Placement
pm.test('E2E: Complete order placement flow', async () => {
  // Step 1: Authenticate user
  const authResponse = await pm.sendRequest({
    url: 'https://api.example.com/auth/login',
    method: 'POST',
    body: {
      mode: 'raw',
      raw: JSON.stringify({
        username: '[email protected]',
        password: 'TestPass123!'
      })
    }
  });
  pm.expect(authResponse.code).to.equal(200);
  const token = authResponse.json().access_token;

  // Step 2: Get user profile
  const profileResponse = await pm.sendRequest({
    url: 'https://api.example.com/v1/users/me',
    method: 'GET',
    header: { 'Authorization': `Bearer ${token}` }
  });
  pm.expect(profileResponse.code).to.equal(200);
  const customerId = profileResponse.json().id;

  // Step 3: Add items to cart
  const cartResponse = await pm.sendRequest({
    url: `https://api.example.com/v1/customers/${customerId}/cart`,
    method: 'POST',
    header: {
      'Authorization': `Bearer ${token}`,
      'Content-Type': 'application/json'
    },
    body: {
      mode: 'raw',
      raw: JSON.stringify({
        items: [
          { productId: 'prod-123', quantity: 2 },
          { productId: 'prod-456', quantity: 1 }
        ]
      })
    }
  });
  pm.expect(cartResponse.code).to.equal(201);
  const cartId = cartResponse.json().id;

  // Step 4: Create order
  const orderResponse = await pm.sendRequest({
    url: `https://api.example.com/v1/customers/${customerId}/orders`,
    method: 'POST',
    header: {
      'Authorization': `Bearer ${token}`,
      'Content-Type': 'application/json'
    },
    body: {
      mode: 'raw',
      raw: JSON.stringify({
        cartId: cartId,
        shippingAddress: {
          street: '123 Main St',
          city: 'San Francisco',
          state: 'CA',
          zipCode: '94102'
        },
        paymentMethod: 'credit_card'
      })
    }
  });
  pm.expect(orderResponse.code).to.equal(201);
  const orderId = orderResponse.json().id;

  // Step 5: Verify order status
  const statusResponse = await pm.sendRequest({
    url: `https://api.example.com/v1/orders/${orderId}`,
    method: 'GET',
    header: { 'Authorization': `Bearer ${token}` }
  });
  pm.expect(statusResponse.code).to.equal(200);
  pm.expect(statusResponse.json().status).to.equal('pending');

  // Step 6: Verify inventory decremented (downstream system check)
  const inventoryResponse = await pm.sendRequest({
    url: 'https://api.example.com/v1/products/prod-123',
    method: 'GET',
    header: { 'Authorization': `Bearer ${token}` }
  });
  pm.expect(inventoryResponse.code).to.equal(200);
  pm.expect(inventoryResponse.json().inventory).to.be.below(100); // Verify stock updated
});

Webhook Integration Testing:

Tool: Webhook Tester & Inspector Use our Webhook Tester & Inspector to:

Generate temporary webhook endpoints
Capture payloads from your API
Validate webhook signatures (HMAC-SHA256)
Test webhook retry logic

Example Webhook Test:

// 1. Generate webhook endpoint in Webhook Tester
const webhookUrl = 'https://webhook.site/unique-id';

// 2. Configure webhook in your API
await pm.sendRequest({
  url: 'https://api.example.com/v1/webhooks',
  method: 'POST',
  header: {
    'Authorization': `Bearer ${token}`,
    'Content-Type': 'application/json'
  },
  body: {
    mode: 'raw',
    raw: JSON.stringify({
      url: webhookUrl,
      events: ['order.created', 'order.shipped'],
      secret: 'webhook_secret_123'
    })
  }
});

// 3. Trigger event (create order)
await pm.sendRequest({
  url: 'https://api.example.com/v1/orders',
  method: 'POST',
  // ... order data
});

// 4. Verify webhook payload received
// (Check Webhook Tester UI for received payload)

Tool: Webhook Payload Generator Use our Webhook Payload Generator to generate webhook payloads with HMAC signatures for testing webhook consumers.

Step 5.2: Performance & Load Testing

Why: BlazeMeter's continuous API testing guide emphasizes that performance testing confirms APIs can operate reliably during peak traffic.

Load Testing Tools:

Apache JMeter - Industry standard, GUI-based
k6 - Modern, developer-friendly, scripting in JavaScript
Artillery - YAML-based configuration, CI/CD integration
Gatling - Scala-based, detailed reporting

Example: k6 Load Test

// load-test.js
import http from 'k6/http';
import { check, sleep } from 'k6';

export let options = {
  stages: [
    { duration: '2m', target: 100 },   // Ramp up to 100 users
    { duration: '5m', target: 100 },   // Stay at 100 users
    { duration: '2m', target: 200 },   // Ramp up to 200 users
    { duration: '5m', target: 200 },   // Stay at 200 users
    { duration: '2m', target: 0 },     // Ramp down to 0 users
  ],
  thresholds: {
    'http_req_duration': ['p(95)<500'], // 95% of requests < 500ms
    'http_req_failed': ['rate<0.01'],   // Error rate < 1%
  },
};

export default function () {
  // Authenticate
  const loginRes = http.post('https://api.example.com/auth/login', JSON.stringify({
    username: '[email protected]',
    password: 'LoadTest123!'
  }), {
    headers: { 'Content-Type': 'application/json' },
  });

  check(loginRes, {
    'login successful': (r) => r.status === 200,
  });

  const token = loginRes.json('access_token');

  // Get orders (most common operation)
  const ordersRes = http.get('https://api.example.com/v1/orders', {
    headers: { 'Authorization': `Bearer ${token}` },
  });

  check(ordersRes, {
    'orders retrieved': (r) => r.status === 200,
    'response time OK': (r) => r.timings.duration < 500,
  });

  sleep(1); // Think time between requests
}

Run Load Test:

k6 run --vus 100 --duration 10m load-test.js

# Output:
#   scenarios: (100.00%) 1 scenario, 200 max VUs, 16m30s max duration
#
#   ✓ login successful
#   ✓ orders retrieved
#   ✓ response time OK
#
#   http_req_duration..............: avg=245ms  min=120ms med=230ms max=890ms p(95)=450ms p(99)=720ms
#   http_req_failed................: 0.23%  ✓ 45    ✗ 19855
#   http_reqs......................: 19900  33.16/s
#   iteration_duration.............: avg=1.5s   min=1.2s  med=1.4s  max=2.8s

Performance Metrics to Track:

Metric	Target	Tool
Response Time (p95)	< 500ms	k6, JMeter
Response Time (p99)	< 1000ms	k6, JMeter
Error Rate	< 1%	k6, monitoring
Throughput	> 1000 req/s	k6, JMeter
Concurrent Users	500+	k6, JMeter

Tool: Network Latency Calculator Use our Network Latency Calculator to calculate network latency, ping distance, and data transfer times between locations.

Tool: TCP Window Size Calculator Use our TCP Window Size Calculator to calculate optimal TCP window sizes and buffer configurations for WAN optimization.

Step 5.3: API Contract Testing

Why: Prevent breaking changes by validating API responses against OpenAPI spec.

Tools:

Dredd - HTTP API testing framework
Prism - Mock server and contract validation
Pact - Consumer-driven contract testing

Example: Dredd Contract Test

# Install Dredd
npm install -g dredd

# Run contract tests
dredd openapi.yaml https://api.example.com

# Output:
# pass: GET /v1/orders duration: 245ms
# pass: POST /v1/orders duration: 312ms
# fail: GET /v1/orders/{id} duration: 189ms
#   Expected status code 200, got 500
#   Response body does not match schema

Step 5.4: Chaos Engineering (Optional)

Test resilience to failures:

# Test 1: Database failure
# Simulate database connection loss
systemctl stop postgresql
curl -X GET https://api.example.com/v1/orders
# Expected: 503 Service Unavailable with retry-after header

# Test 2: Slow network
# Introduce 2-second latency
tc qdisc add dev eth0 root netem delay 2000ms
curl -X GET https://api.example.com/v1/orders
# Expected: Response within timeout, or graceful timeout error

# Test 3: Downstream service failure
# Mock third-party API returns 500 errors
# Expected: Circuit breaker opens, fallback response, or degraded mode

Stage 5 Output:

After 1-3 days, you should have:

End-to-end integration tests passing (Postman collections)
Webhook integration verified (delivery, signatures, retries)
Load test results (p95 < 500ms, error rate < 1%)
Contract tests validating OpenAPI compliance
Chaos testing (optional) validating resilience

Time Investment: 1-3 days Next Step: Proceed to Stage 6 for deployment and rate limiting configuration.

Stage 6: Deployment & Rate Limiting Configuration (1-2 days)

With testing complete, deploy your API to production with proper security controls, monitoring, and rate limiting.

Step 6.1: Production Deployment Checklist

Pre-Deployment Security Checklist:

☐ Environment Variables
  ☐ No hardcoded secrets in code
  ☐ Database credentials in secret manager (AWS Secrets Manager, HashiCorp Vault)
  ☐ API keys rotated from staging
  ☐ JWT signing keys generated with cryptographically secure random

☐ HTTPS/TLS Configuration
  ☐ Valid SSL certificate installed
  ☐ TLS 1.2+ only (TLS 1.0, 1.1 disabled)
  ☐ Strong cipher suites enabled
  ☐ HSTS header configured (max-age=31536000)
  ☐ Certificate expiration monitoring (alert 30 days before)

☐ API Gateway Configuration
  ☐ Rate limiting enabled (global, per-endpoint, per-user)
  ☐ Request size limits enforced (max 10MB)
  ☐ Timeout limits set (30 seconds max)
  ☐ CORS policy configured (allowlist trusted origins)
  ☐ API keys rotated for production

☐ Database Security
  ☐ Database firewall rules (allowlist API servers only)
  ☐ Read-only database user for read endpoints
  ☐ Write database user with minimal permissions
  ☐ Prepared statements (prevent SQL injection)
  ☐ Connection pooling configured

☐ Logging & Monitoring
  ☐ Structured logging enabled (JSON format)
  ☐ Sensitive data excluded from logs (passwords, tokens, PII)
  ☐ Log aggregation configured (CloudWatch, Datadog, Splunk)
  ☐ Error alerting configured (PagerDuty, Opsgenie)
  ☐ Uptime monitoring (Pingdom, UptimeRobot)

☐ Security Headers
  ☐ Strict-Transport-Security
  ☐ X-Content-Type-Options: nosniff
  ☐ X-Frame-Options: DENY
  ☐ Content-Security-Policy
  ☐ Referrer-Policy: no-referrer

☐ Documentation
  ☐ API documentation published (Swagger UI, Redoc)
  ☐ Rate limits documented
  ☐ Authentication guide published
  ☐ Error response reference
  ☐ Changelog maintained

Step 6.2: Rate Limiting Strategy for Production

Tiered Rate Limits:

According to Cloudflare's rate limiting best practices, implement graduated limits based on user tier and endpoint sensitivity.

// Rate limit configuration
const rateLimits = {
  // Public endpoints (no authentication)
  public: {
    windowMs: 60 * 60 * 1000, // 1 hour
    max: 100, // 100 requests per hour per IP
    endpoints: ['/health', '/docs', '/openapi.json']
  },

  // Authentication endpoints (prevent credential stuffing)
  auth: {
    windowMs: 60 * 60 * 1000, // 1 hour
    max: 5, // 5 attempts per hour per IP
    endpoints: ['/auth/login', '/auth/register', '/auth/reset-password']
  },

  // Free tier users
  free: {
    windowMs: 60 * 60 * 1000, // 1 hour
    max: 1000, // 1,000 requests per hour
    burstMax: 50, // Max 50 requests per minute
    endpoints: ['*']
  },

  // Paid tier users
  paid: {
    windowMs: 60 * 60 * 1000, // 1 hour
    max: 10000, // 10,000 requests per hour
    burstMax: 500, // Max 500 requests per minute
    endpoints: ['*']
  },

  // Write operations (more restrictive)
  write: {
    windowMs: 60 * 60 * 1000, // 1 hour
    max: 500, // 500 write operations per hour
    endpoints: ['/v1/orders', '/v1/users', '/v1/products']
  },

  // Expensive operations (search, analytics)
  expensive: {
    windowMs: 60 * 60 * 1000, // 1 hour
    max: 100, // 100 requests per hour
    endpoints: ['/v1/search', '/v1/analytics', '/v1/reports']
  }
};

DDoS Protection:

According to API7.ai's DDoS protection guide, combine API gateway throttling with WAF (Web Application Firewall) for defense in depth.

Tool: Rate Limit Calculator Use our Rate Limit Calculator to model optimal rate limits based on your API's capacity and expected traffic patterns.

Step 6.3: API Gateway Configuration

Example: AWS API Gateway

# serverless.yml (Serverless Framework)
service: order-api

provider:
  name: aws
  runtime: nodejs18.x
  region: us-west-2

  # API Gateway settings
  apiGateway:
    # Rate limiting
    usagePlan:
      - free:
          quota:
            limit: 10000
            period: MONTH
          throttle:
            rateLimit: 10
            burstLimit: 20
      - paid:
          quota:
            limit: 1000000
            period: MONTH
          throttle:
            rateLimit: 1000
            burstLimit: 2000

    # Request validation
    request:
      schemas:
        create-order-model:
          name: CreateOrderModel
          schema: ${file(schemas/create-order.json)}
          description: Order creation request body

    # CORS
    cors:
      origin: 'https://app.example.com'
      headers:
        - Content-Type
        - Authorization
        - X-Api-Key
      allowCredentials: true

functions:
  createOrder:
    handler: handlers/orders.create
    events:
      - http:
          path: /v1/orders
          method: post
          authorizer:
            name: jwtAuthorizer
            type: token
          request:
            schemas:
              application/json: create-order-model
          throttling:
            rateLimit: 100  # Endpoint-specific limit
            burstLimit: 200

Step 6.4: Blue-Green Deployment

Zero-Downtime Deployment Strategy:

# 1. Deploy new version (green) alongside current (blue)
aws ecs update-service \
  --cluster api-cluster \
  --service api-green \
  --desired-count 3 \
  --task-definition api:v2.0.0

# 2. Health check green deployment
for i in {1..10}; do
  curl -f https://api-green.internal/health || exit 1
  sleep 5
done

# 3. Run smoke tests against green
newman run smoke-tests.postman_collection.json \
  --environment green.postman_environment.json

# 4. Gradually shift traffic (10% → 50% → 100%)
aws elbv2 modify-listener \
  --listener-arn $LISTENER_ARN \
  --default-actions Type=forward,ForwardConfig='{
    "TargetGroups": [
      {"TargetGroupArn": "'$BLUE_TG'", "Weight": 90},
      {"TargetGroupArn": "'$GREEN_TG'", "Weight": 10}
    ]
  }'

# Monitor for 15 minutes, check error rates
sleep 900

# If successful, shift to 100% green
aws elbv2 modify-listener \
  --listener-arn $LISTENER_ARN \
  --default-actions Type=forward,ForwardConfig='{
    "TargetGroups": [
      {"TargetGroupArn": "'$GREEN_TG'", "Weight": 100}
    ]
  }'

# 5. Decommission blue deployment
aws ecs update-service \
  --cluster api-cluster \
  --service api-blue \
  --desired-count 0

Stage 6 Output:

After 1-2 days, you should have:

Production deployment checklist completed
Rate limiting configured (tiered, endpoint-specific)
API gateway configured (throttling, CORS, validation)
Blue-green deployment successful
Zero downtime during deployment
Rollback plan documented

Time Investment: 1-2 days Next Step: Proceed to Stage 7 for production monitoring and continuous testing.

Stage 7: Production Monitoring & Continuous Testing (Ongoing)

APIs in production require continuous monitoring, security testing, and performance optimization. According to Postman's API monitoring guide, continuous monitoring tracks uptime, latency, and anomalies with real-time alerts.

Step 7.1: Uptime & Availability Monitoring

Synthetic Monitoring (Scheduled Tests):

// Postman Monitor: Every 5 minutes
pm.test('API health check', () => {
  const response = pm.response;
  pm.expect(response.code).to.equal(200);
  pm.expect(response.responseTime).to.be.below(500);

  const health = response.json();
  pm.expect(health.status).to.equal('healthy');
  pm.expect(health.database).to.equal('connected');
  pm.expect(health.cache).to.equal('connected');
});

pm.test('Authentication endpoint available', () => {
  pm.sendRequest({
    url: 'https://api.example.com/auth/login',
    method: 'POST',
    body: {
      mode: 'raw',
      raw: JSON.stringify({
        username: '[email protected]',
        password: pm.environment.get('monitor_password')
      })
    }
  }, (err, res) => {
    pm.expect(res.code).to.equal(200);
    pm.expect(res.json()).to.have.property('access_token');
  });
});

Key Metrics:

Metric	Target	Alert Threshold
Uptime	99.9% (43.2 min downtime/month)	< 99.5%
Response Time (p95)	< 500ms	> 1000ms
Error Rate	< 0.1%	> 1%
Availability	99.99%	< 99.9%

Step 7.2: Application Performance Monitoring (APM)

APM Tools:

Datadog APM - Distributed tracing, anomaly detection
New Relic - Full-stack observability
Elastic APM - Open-source, Elasticsearch-based
AWS X-Ray - Distributed tracing for AWS

Example: Datadog Instrumentation

const tracer = require('dd-trace').init({
  service: 'order-api',
  env: 'production',
  version: '2.0.0',
  analytics: true
});

// Automatic instrumentation for Express, MongoDB, Redis, etc.
const express = require('express');
const app = express();

app.get('/v1/orders/:id', async (req, res) => {
  const span = tracer.scope().active();
  span.setTag('user.id', req.user.sub);
  span.setTag('order.id', req.params.id);

  try {
    const order = await db.orders.findById(req.params.id);
    span.setTag('order.total', order.total);
    res.json(order);
  } catch (error) {
    span.setTag('error', true);
    span.setTag('error.message', error.message);
    throw error;
  }
});

Distributed Tracing:

Request Flow:
API Gateway → Authentication Service → Order Service → Database
  120ms          45ms                    180ms            35ms
                                                   ↓
                                         Payment Service
                                              90ms

Total Latency: 470ms
Bottleneck: Order Service (180ms) - Investigate slow queries

Step 7.3: Security Monitoring & Threat Detection

Security Metrics to Track:

// Track failed authentication attempts
const authFailureMetric = new cloudwatch.Metric({
  namespace: 'API/Security',
  metricName: 'AuthenticationFailures',
  dimensions: {
    endpoint: '/auth/login',
    source: 'api-gateway'
  }
});

// Alert on credential stuffing attack pattern
const alarm = new cloudwatch.Alarm({
  metric: authFailureMetric,
  threshold: 50, // 50 failures in evaluation period
  evaluationPeriods: 1,
  period: 300, // 5 minutes
  statistic: 'Sum',
  alarmActions: [snsTopicArn] // Alert security team
});

Anomaly Detection:

Unusual traffic patterns - Sudden spike in 401/403 errors
Geographic anomalies - Requests from unexpected countries
Velocity checks - Same user accessing 100+ orders/second
BOLA attempts - Sequential ID enumeration (GET /orders/1, /orders/2, /orders/3...)

Tool: IP Risk Checker Use our IP Risk Checker to check IP reputation, geolocation, and threat intelligence.

Step 7.4: Rate Limit Monitoring

Track Rate Limit Metrics:

// Monitor rate limit hit rate
app.use((req, res, next) => {
  res.on('finish', () => {
    if (res.statusCode === 429) {
      metrics.increment('api.rate_limit.exceeded', {
        endpoint: req.path,
        user: req.user?.sub,
        ip: req.ip
      });
    }
  });
  next();
});

// Dashboard metrics:
// - Rate limit hit rate by endpoint
// - Top rate-limited users/IPs
// - Average remaining quota per user tier

Tool: Rate Limit Calculator Use our Rate Limit Calculator to model queue depth and optimize client-side retry logic.

Step 7.5: Log Analysis

Centralized Logging:

# CloudWatch Logs Insights query: Find slow endpoints
fields @timestamp, method, path, duration, statusCode
| filter statusCode = 200
| filter duration > 1000
| stats count() as slowRequests by path
| sort slowRequests desc

# Output:
# path                        slowRequests
# /v1/analytics/reports       1,234
# /v1/search                  891
# /v1/orders/export           456

Tool: JSON Formatter Use our JSON Formatter to parse structured JSON logs.

Tool: Regex Tester Use our Regex Tester to extract log patterns (error messages, request IDs, timestamps).

Step 7.6: Continuous Security Testing

Scheduled Security Scans:

# GitHub Actions: Weekly security scan
name: Weekly Security Scan
on:
  schedule:
    - cron: '0 2 * * 1' # Every Monday at 2 AM

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: OWASP ZAP Scan
        uses: zaproxy/[email protected]
        with:
          target: 'https://api.example.com/openapi.json'
          format: 'openapi'
          fail_action: true

      - name: Dependency Check
        run: |
          npm audit --audit-level=high

      - name: Secret Scanning
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./

      - name: Alert on Failures
        if: failure()
        uses: 8398a7/action-slack@v3
        with:
          status: ${{ job.status }}
          text: 'Security scan failed! Review results.'

Step 7.7: Incident Response Runbook

API Incident Playbook:

Tool: Incident Response Playbook Generator Use our Incident Response Playbook Generator to create customized IR playbooks for API security incidents.

## Incident: API Authentication Bypass Detected

### Detection
- Alert: 200 successful logins from IP 203.0.113.50 in 5 minutes
- Anomaly: Logins for 50 different user accounts
- Pattern: Credential stuffing attack

### Immediate Actions (0-15 minutes)
1. ☐ Block attacking IP at WAF
   ```bash
   aws wafv2 update-ip-set --scope REGIONAL --id $IP_SET_ID \
     --addresses 203.0.113.50/32

☐ Invalidate potentially compromised tokens

redis-cli KEYS "session:*" | grep -f compromised-users.txt | xargs redis-cli DEL

☐ Enable MFA requirement for affected accounts
☐ Notify security team via Slack/PagerDuty

Investigation (15-60 minutes)

☐ Review auth logs for compromised accounts

aws logs filter-log-events \
  --log-group-name /aws/api/auth \
  --filter-pattern "{ $.ip = \"203.0.113.50\" }"

☐ Check for data exfiltration attempts
☐ Identify credential source (leaked database?)
☐ Document incident timeline

Remediation (1-24 hours)

☐ Force password reset for compromised accounts
☐ Strengthen rate limiting on /auth/login (reduce to 3/hour)
☐ Implement CAPTCHA after 2 failed attempts
☐ Enable IP reputation checking

Post-Incident (24-72 hours)

☐ Conduct post-mortem meeting
☐ Update incident response playbook
☐ Implement improvements (MFA enforcement, breach detection)
☐ Share lessons learned with team


---

**Stage 7 Output (Ongoing):**

With continuous monitoring in place, you should have:

- Uptime monitoring (99.9%+ availability)
- APM with distributed tracing
- Security monitoring and anomaly detection
- Rate limit metrics and dashboards
- Centralized logging with analysis
- Continuous security scanning (weekly)
- Incident response playbook

**Time Investment:** Ongoing (15-30 minutes/day for monitoring)

---

## Conclusion

This comprehensive API development and security testing workflow provides a **systematic, security-first approach** to building production-ready APIs. By following these seven stages, you can:

- **Design secure APIs** with proper authentication and authorization (Stages 1-2)
- **Develop resilient endpoints** with validation and rate limiting (Stage 3)
- **Test thoroughly** for vulnerabilities and performance (Stages 4-5)
- **Deploy confidently** with zero downtime and proper controls (Stage 6)
- **Monitor continuously** with real-time alerts and incident response (Stage 7)

### Key Takeaways

1. **Shift Left Security:** Integrate security from design phase, not as an afterthought
2. **Zero-Trust Architecture:** Never trust, always verify—every request, every user, every object
3. **Defense in Depth:** Layer security controls (authentication + authorization + rate limiting + validation)
4. **OWASP API Top 10 Alignment:** Address all 10 risks systematically
5. **Continuous Testing:** Security and performance testing don't stop at deployment

### OWASP API Security Top 10 2023 Coverage Summary

| Risk | Mitigation Strategies Covered |
|------|------------------------------|
| **API1:2023 - BOLA** | Object ownership validation (Stage 2.3) |
| **API2:2023 - Broken Authentication** | OAuth 2.0 + JWT + MFA (Stage 2.1-2.5) |
| **API3:2023 - Broken Object Property Level Authorization** | Input validation, mass assignment prevention (Stage 3.1) |
| **API4:2023 - Unrestricted Resource Consumption** | Rate limiting, pagination limits (Stages 3.2, 6.2) |
| **API5:2023 - Broken Function Level Authorization** | RBAC with permission checks (Stage 2.3) |
| **API6:2023 - Unrestricted Access to Sensitive Business Flows** | Workflow validation, anti-automation (Stage 4.4) |
| **API7:2023 - SSRF** | URL allowlisting, network segmentation (Stage 4.3) |
| **API8:2023 - Security Misconfiguration** | Security hardening checklist (Stage 6.1) |
| **API9:2023 - Improper Inventory Management** | OpenAPI spec, API documentation (Stages 1.4, 6.1) |
| **API10:2023 - Unsafe Consumption of APIs** | Input validation, third-party API validation (Stage 3.1) |

### Next Steps in Your API Security Journey

**For Beginners:**
- Start with the OWASP API Security Top 10 documentation
- Practice with Postman collections for common API patterns
- Join API security communities (OWASP, Reddit r/appsec)
- Complete hands-on labs (TryHackMe, HackTheBox API challenges)

**For Intermediate Developers:**
- Implement OAuth 2.0 + PKCE in your projects
- Learn API gateway patterns (Kong, Tyk, AWS API Gateway)
- Practice threat modeling for your APIs
- Contribute to open-source API security tools

**For Advanced Engineers:**
- Specialize in API security testing (ZAP, Burp Suite Professional)
- Develop custom security middleware and validation libraries
- Implement zero-trust architecture for microservices
- Mentor junior developers on API security best practices

### Continuous Improvement

APIs evolve, and so do threats. Stay current with:
- **API versioning** - Maintain backward compatibility while improving security
- **Deprecation strategies** - Gracefully sunset insecure endpoints
- **GraphQL security** - Extend these principles to GraphQL APIs
- **gRPC security** - Adapt for high-performance RPC protocols
- **API gateways** - Centralize security controls and observability

### Resources for Continued Learning

**Industry Standards:**
- [OWASP API Security Top 10 2023](https://owasp.org/API-Security/)
- [OWASP API Security Project](https://owasp.org/www-project-api-security/)
- [REST API Authentication Best Practices (Knowi)](https://www.knowi.com/blog/4-ways-of-rest-api-authentication-methods/)

**Security Testing:**
- [API Security Testing Tools 2025 (Pynt)](https://www.pynt.io/learning-hub/api-security-testing-guides/api-security-testing-tools)
- [API Security Best Practices (Invicti)](https://www.invicti.com/blog/web-security/api-security-best-practices/)
- [API Security Testing Checklist (APIDynamics)](https://www.apidynamics.com/blogs/api-security-testing-checklist)

**API Development:**
- [Postman API-First Workflow](https://blog.postman.com/the-reimagined-api-first-workflow-for-developers/)
- [API Testing Guide (Postman)](https://www.postman.com/api-platform/api-testing/)
- [Continuous API Testing (BlazeMeter)](https://www.blazemeter.com/blog/continuous-api-testing)

**Rate Limiting & DDoS Protection:**
- [Rate Limiting Best Practices (Cloudflare)](https://developers.cloudflare.com/waf/rate-limiting-rules/best-practices/)
- [Rate Limiting Strategies (API7.ai)](https://api7.ai/learning-center/api-101/rate-limiting-and-throttling)
- [API Gateway Throttling vs WAF (Zuplo)](https://zuplo.com/learning-center/api-gateway-throttling-vs-waf-ddos-protection)

**Authentication & Authorization:**
- [OAuth 2.0 Security Best Practices (AestheteSoft)](https://www.aesthetesoft.dev/blog/modern-authentication-oauth-security)
- [JWT Best Practices (Curity)](https://curity.io/resources/learn/jwt-best-practices/)
- [API Security Best Practices 2025 (Zuplo)](https://zuplo.com/blog/2025/01/31/api-security-best-practices)

**Tools Referenced in This Guide:**
- [HTTP Request Builder](/tools/http-request-builder) - Interactive API request testing
- [OAuth/OIDC Debugger](/tools/oauth-oidc-debugger) - OAuth flow testing and JWT validation
- [JWT Decoder](/tools/jwt-decoder) - Decode and analyze JSON Web Tokens
- [JSON Validator](/tools/json-validator) - Validate JSON schemas and payloads
- [Rate Limit Calculator](/tools/rate-limit-calculator) - Model API throttling budgets
- [Hash Generator](/tools/hash-generator) - Generate cryptographic hashes
- [Base64 Encoder/Decoder](/tools/base64-encoder-decoder) - Encode/decode Base64 and other formats
- [JSON Formatter](/tools/json-formatter) - Format and analyze JSON logs
- [Regex Tester](/tools/regex-tester) - Extract log patterns
- [HTML Entity Encoder](/tools/html-encoder) - Test XSS prevention
- [Security Headers Analyzer](/tools/security-headers-analyzer) - Test HTTP security headers
- [SSL Checker](/tools/ssl-checker) - Verify SSL/TLS configuration
- [X.509 Certificate Decoder](/tools/x509-decoder) - Analyze SSL certificates
- [Certificate CSR Generator](/tools/certificate-csr-generator) - Generate CSRs and convert formats
- [CSP Policy Generator](/tools/csp-generator) - Generate Content Security Policy headers
- [Webhook Tester & Inspector](/tools/webhook-tester-inspector) - Test webhook integrations
- [Webhook Payload Generator](/tools/webhook-payload-generator) - Generate webhook payloads with signatures
- [Network Latency Calculator](/tools/network-latency-calculator) - Calculate network latency
- [TCP Window Size Calculator](/tools/tcp-window-size-calculator) - Optimize TCP performance
- [IP Risk Checker](/tools/ip-risk-checker) - Check IP reputation and threat intelligence
- [Incident Response Playbook Generator](/tools/incident-response-playbook-generator) - Create customized IR playbooks

---

## About This Guide

This comprehensive workflow guide is based on industry best practices from leading security organizations including OWASP, Cloudflare, Postman, and Salt Security. The workflow aligns with the **OWASP API Security Top 10 2023** and incorporates 2025 security trends including zero-trust architecture, OAuth 2.0 with PKCE, and AI-powered threat detection.

All tools referenced are **free, open-access utilities** designed with privacy-first, client-side processing—no data leaves your browser. InventiveHQ provides these educational tools to help developers, security engineers, and API teams build secure, performant APIs.

Whether you're building your first REST API or architecting a microservices platform, this workflow provides the foundation for security-first API development.

---

### Sources & Further Reading

- [OWASP API Security Top 10](https://owasp.org/API-Security/)
- [OWASP API Security Project](https://owasp.org/www-project-api-security/)
- [API Security Testing Tools 2025](https://www.pynt.io/learning-hub/api-security-testing-guides/api-security-testing-tools)
- [Top 10 API Security Tools in 2025](https://www.jit.io/resources/appsec-tools/top-10-api-security-tools)
- [API Security Best Practices](https://www.invicti.com/blog/web-security/api-security-best-practices/)
- [REST API Authentication Guide 2025](https://www.knowi.com/blog/4-ways-of-rest-api-authentication-methods/)
- [Modern Authentication: OAuth 2.0 and JWT Best Practices](https://www.aesthetesoft.dev/blog/modern-authentication-oauth-security)
- [JWT Security Best Practices](https://curity.io/resources/learn/jwt-best-practices/)
- [Rate Limiting Best Practices](https://developers.cloudflare.com/waf/rate-limiting-rules/best-practices/)
- [Rate Limiting and Throttling](https://api7.ai/learning-center/api-101/rate-limiting-and-throttling)
- [API Gateway Throttling vs WAF DDoS Protection](https://zuplo.com/learning-center/api-gateway-throttling-vs-waf-ddos-protection)
- [The Reimagined API-First Workflow](https://blog.postman.com/the-reimagined-api-first-workflow-for-developers/)
- [API Testing Guide](https://www.postman.com/api-platform/api-testing/)
- [Continuous API Testing](https://www.blazemeter.com/blog/continuous-api-testing)
- [API Security Testing: Risks, Tools, and Best Practices](https://www.pynt.io/learning-hub/api-security-testing-guides/api-security-testing)
- [8 Essential API Security Best Practices](https://zuplo.com/blog/2025/01/31/api-security-best-practices)