APIs are the backbone of modern web applications — and the primary target of automated attacks. A poorly secured API can expose your entire user database, bypass business logic, and facilitate account takeovers at scale.
Authentication and Authorization
Every API endpoint should require authentication unless explicitly designed to be public. Use industry-standard mechanisms: OAuth 2.0 with PKCE for user-delegated access, API keys for server-to-server communication, and JWTs with short expiry for stateless session management.
Implement authorization at the data layer — not just the route layer. A user authenticating as themselves should never be able to access another user's data by changing an ID in the request.
Rate Limiting
Without rate limiting, your API is vulnerable to brute force attacks, credential stuffing, and abuse. Implement rate limiting at multiple levels: per-IP, per-user, and per-endpoint. Use sliding window algorithms for more accurate limiting. Tools like Upstash Redis make rate limiting trivial to implement in Next.js API routes.
Input Validation
Validate every field in every request on the server side. Define a schema for expected input using Zod or Joi and reject anything that does not conform. Validate types, lengths, formats, and ranges. Never trust client-side validation alone.
import { z } from 'zod';
const schema = z.object({
name: z.string().min(1).max(100),
email: z.string().email(),
budget: z.string().optional(),
message: z.string().min(10).max(5000),
});
const result = schema.safeParse(req.body);
if (!result.success) {
return res.status(400).json({ error: result.error });
}Error Handling
API error messages should be helpful to legitimate developers but not informative to attackers. Never expose stack traces, database error messages, or internal paths in API responses. Use generic error messages in production and log detailed errors server-side.
CORS Configuration
Configure CORS to only allow requests from your known origins. Avoid the wildcard Access-Control-Allow-Origin: * for authenticated endpoints. Be explicit about which methods and headers are allowed.
Security Headers for APIs
Apply Content-Type: application/json consistently. Add X-Content-Type-Options: nosniff to prevent MIME sniffing. Disable caching for authenticated endpoints with Cache-Control: no-store.
GraphQL-Specific Considerations
GraphQL introduces unique risks: introspection exposure, deeply nested queries causing denial of service, and overly permissive resolvers. Disable introspection in production, implement query depth limiting, and apply authorization checks in every resolver — not just the top level.
Conclusion
API security is not a single feature — it is a combination of authentication, authorization, validation, and monitoring working together. Audit your APIs against this checklist, add automated security scanning to your CI pipeline, and conduct regular manual testing against your most sensitive endpoints.