API Security Checklist: Best Practices, Testing, and NIST

APIs are susceptible to vulnerability exploits, abuse from automated threats, denial of service, misconfiguration, and attacks that bypass authentication and authorization controls. Robust API security measures are essential as APIs expose critical business logic and sensitive information, and must protect user data, authentication credentials, and financial transactions from unauthorized access, manipulation, or exposure, as well as ensure API integrity and availability.

This blog post provides a quick overview of major security threats to APIs, plus a checklist that describes key API security strategies and best practices to protect APIs across multicloud environments, including access controls, input validation and output management, API testing, and monitoring. The post also recommends the top API security standards to follow and suggests API security tools to protect your valuable APIs.

Access control is the structured process of determining and enforcing which users are granted privileges to access specific resources. This process includes both authentication and authorization. Authentication is the process of verifying a user's identity, while authorization determines the level of access that the authenticated user is permitted to have.

Following are key suggestions for an access control checklist to improve API security:

• Don’t use basic authentication for access control. Basic authentication usually consists of simple username and password credentials, which can be easily compromised by a dedicated attacker. Instead, use stronger access control methods such as OAuth or JSON Web Tokens (JWTs).
• Follow API token best practices. API tokens are often used for granting access to API endpoints and services, and mishandling them can expose sensitive systems to unauthorized access or abuse. Limit token scope and permissions, always set expiration dates for access tokens, and store and transmit tokens securely.
• Check for broken authentication and authorization. Identify and fix common security weaknesses related to how users are authenticated and what they’re allowed to access. These threats include broken authentication, which results when attackers are able to impersonate legitimate users by compromising passwords, keys, session tokens, or user account information. Broken object property level authorization (BOLA) occurs when an application fails to properly enforce access controls at the object or data level, allowing an attacker to manipulate or bypass authorization checks and gain unauthorized access to specific objects or data within an application. Broken function level authorization results when an API fails to properly enforce authorization checks at the function or operation level, allowing attackers to access unauthorized functionality or manipulate legitimate functions.
• Secure identity stores. Protect the systems that store sensitive identity-related data, such as API keys, authentication logs, and user credentials. This involves encrypting data at rest, restricting access, and using strong access controls. By securing identity stores, organizations reduce the risk of attackers gaining unauthorized access to critical authentication and authorization information.
• Use an API gateway. Manage access control for all APIs in a single, centralized place. This makes it easier to enforce consistent policies, such as authentication, rate limits, and authorization rules. By applying these controls through the gateway, organizations reduce the risk of misconfigurations and ensure uniform protection across all APIs.
• Use encryption on all sensitive data. Encryption protects data that flows through APIs from unauthorized access, both in transit and at rest. Even if attackers intercept network traffic or gain access to storage systems, encrypted data remains unreadable without the proper decryption keys. This helps ensure data confidentiality and integrity, and can help maintain regulatory compliance.
• Implement rate limiting. Controlling how often a client can make API requests within a given time frame helps prevent distributed denial-of-service attacks (DDoS), by preventing attackers from overwhelming an API with traffic, and credential stuffing attacks, by slowing down or blocking repeated login attempts.

API security testing should be continuous—not just performed at initial deployment—because APIs are dynamic and often undergo updates or receive new features. In addition, the threat landscape also evolves, with attackers constantly developing new techniques.

Following are key suggestions for an API security testing checklist:

• Perform functional testing. Ensure that the core functions of the API work as intended and remain stable after new features are introduced or patches are applied.
• Test for performance. Load test the API to understand its performance limits and determine how long it will take for the API to recover after an incident.
• Perform vulnerability scanning and penetration testing. Use an automated API scanner to test the source code and look for runtime errors, and employ periodic penetration testing to identify API vulnerabilities to more sophisticated, new, or novel attacks.

API monitoring is critical because it helps detect threats in real time and builds a baseline of “normal” activity, which is necessary for identifying anomalies. Continuous monitoring allows security teams to quickly spot unusual patterns, such as spikes in traffic, repeated failed logins, or abnormal usage of endpoints—often signs of attacks.

An API monitoring checklist should include the following:

• Use an API discovery tool to continuously monitor for and document new APIs. You can’t secure what you don’t know exists. Developers may deploy or test APIs without formal approval, creating untracked or undocumented endpoints (“shadow APIs”) that can be overlooked by security teams and become easy targets for attackers. Continuous discovery ensures that every exposed API is inventoried, assessed, secured, and governed properly.
• Keep a centralized catalog of all APIs. Maintaining a single, organized view of the entire API ecosystem simplifies API monitoring with improved visibility, streamlined management, and faster incident response.
• Log and analyze API traffic. Identify unexpected request volume spikes, which may indicate a DDoS attack, and monitor requests from unexpected geographic regions not typical for legitimate users, which can signal unauthorized access attempts. A spike in failed requests can indicate credential stuffing activity or misconfigured clients repeatedly hitting the API with invalid input.

The Open Worldwide Application Security Project (OWASP) and the National Institute of Standards and Technology (NIST) both publish best practices for cybersecurity.

• OWASP focuses specifically on application security and publishes lists of most common risks for web applications and large language models. The OWASP Top 10 API Security Risks is an actionable guide for secure API design and security testing.
• NIST focuses broadly on cybersecurity and publishes the NIST Cybersecurity Framework (CSF). The NIST CSF is useful for aligning your API security with broader strategies, organized around six pillars: identify, protect, detect, respond, recover, and govern.

Because of the move to API-first application design and the proliferation of APIs, a comprehensive web application and API protection (WAAP) solution is the strongest defense for API estates. A WAAP provides holistic security and integrates into a single solution a web application firewall (WAF), API discovery and protection services, DDoS mitigation, and bot management.

Key benefits of WAAP include:

• Enhanced observability. Comprehensive visibility into web application and API traffic via logging, metrics, and real-time analytics empowers security teams to identify anomalies, troubleshoot issues more quickly, and extract actionable insights into user activity and emerging threat patterns.
• Integrated, comprehensive protection. WAAP combines robust API discovery and visibility with critical enforcement capabilities to control and block API threats, including specific controls to allow/deny lists, rate limit, geo-IP filter, plus custom rule generation. On top of this, WAAP includes layer 7 DoS, data loss prevention (DLP) functionality to detect and mask sensitive data, bot management, and WAF—all within a single solution. This holistic approach ensures APIs are both visible and secured, enabling proper governance and reliable API performance.
• Centralized policy management. WAAP manages security policies for all web applications and APIs from a single control point—regardless of where the apps are hosted or what their underlying architecture looks like. This centralized approach ensures consistent enforcement, minimizes configuration errors, and simplifies security operations across diverse environments.
• Streamlined policy management and maintenance. By automating and optimizing policy implementation and updates across applications and APIs, WAAP solutions make applying, refining, and adapting policies to counter evolving threats and application behavior easier across all apps and APIs as appropriate. This reduces manual effort, accelerates responses to emerging exploits, and ensures unified enforcement across systems.
• Clear audit trails. Detailed logs and audit trails of access, policy changes, and security events are essential for demonstrating compliance with regulatory and industry standards across all threat vectors and components of an applications, including APIs, infrastructure, and data.

F5 offers API security as part of its Web Application and API Protection (WAAP) solutions, which secure APIs across complex hybrid and multicloud fabric environments, reducing complexity while improving operational efficiencies. F5’s WAAP solutions deliver a comprehensive approach to protecting APIs throughout their full lifecycle, from the build and test phases through their release, operations, and monitoring.

F5’s WAAP solutions mitigate risks and improve digital resiliency by continuously defending critical business logic that supports web apps and APIs. They offer universal API visibility by dynamically discovering, continuously monitoring, and detecting threats, while safeguarding API endpoints with critical control and enforcement mechanisms. F5’s WAAP solutions can be deployed in any environment, including on-premises, in the cloud, or as-a-service.