BLOG

API Security Checklist: Best Practices, Testing, and NIST

F5 Newsroom Staff Thumbnail
F5 Newsroom Staff
Published July 07, 2025

APIs, or application programming interfaces, are a set of protocols, routines, and tools that allow different applications, software systems, or components to communicate with each other. APIs play an increasingly vital role in modern digital infrastructures because they serve as the connective fabric that links applications, services, systems, and data across distributed platforms.

APIs are so foundational to today’s digital environments that organizations are increasingly taking an API-first approach, where the design of applications starts with the API. This is in contrast to a traditional “code-first” approach, where monolithic code takes priority and API design comes only later, if at all.

There’s no question that APIs are proliferating. The average organization now manages over 400 APIs within their digital infrastructure, while 68% of organizations use APIs to manage app delivery and security. Most organizations also realize the API sprawl represents a risk: 58% of organizations consider API sprawl a significant pain point. That’s because the ubiquity of APIs expands an organization’s attack surface and introduces unforeseen threats due to their interdependencies across multicloud architectures.

APIs are susceptible to vulnerability exploits, abuse from automated threats, denial of service, misconfiguration, and attacks that bypass authentication and authorization controls. Robust API security measures are essential as APIs expose critical business logic and sensitive information, and must protect user data, authentication credentials, and financial transactions from unauthorized access, manipulation, or exposure, as well as ensure API integrity and availability.

This blog post provides a quick overview of major security threats to APIs, plus a checklist that describes key API security strategies and best practices to protect APIs across multicloud environments, including access controls, input validation and output management, API testing, and monitoring. The post also recommends the top API security standards to follow and suggests API security tools to protect your valuable APIs.

1. Access control, authentication, and authorization

Access control is the structured process of determining and enforcing which users are granted privileges to access specific resources. This process includes both authentication and authorization. Authentication is the process of verifying a user's identity, while authorization determines the level of access that the authenticated user is permitted to have.

Following are key suggestions for an access control checklist to improve API security:

  • Don’t use basic authentication for access control. Basic authentication usually consists of simple username and password credentials, which can be easily compromised by a dedicated attacker. Instead, use stronger access control methods such as OAuth or JSON Web Tokens (JWTs).
  • Follow API token best practices. API tokens are often used for granting access to API endpoints and services, and mishandling them can expose sensitive systems to unauthorized access or abuse. Limit token scope and permissions, always set expiration dates for access tokens, and store and transmit tokens securely.
  • Check for broken authentication and authorization. Identify and fix common security weaknesses related to how users are authenticated and what they’re allowed to access. These threats include broken authentication, which results when attackers are able to impersonate legitimate users by compromising passwords, keys, session tokens, or user account information. Broken object property level authorization (BOLA) occurs when an application fails to properly enforce access controls at the object or data level, allowing an attacker to manipulate or bypass authorization checks and gain unauthorized access to specific objects or data within an application. Broken function level authorization results when an API fails to properly enforce authorization checks at the function or operation level, allowing attackers to access unauthorized functionality or manipulate legitimate functions.
  • Secure identity stores. Protect the systems that store sensitive identity-related data, such as API keys, authentication logs, and user credentials. This involves encrypting data at rest, restricting access, and using strong access controls. By securing identity stores, organizations reduce the risk of attackers gaining unauthorized access to critical authentication and authorization information.
  • Use an API gateway. Manage access control for all APIs in a single, centralized place. This makes it easier to enforce consistent policies, such as authentication, rate limits, and authorization rules. By applying these controls through the gateway, organizations reduce the risk of misconfigurations and ensure uniform protection across all APIs.
  • Use encryption on all sensitive data. Encryption protects data that flows through APIs from unauthorized access, both in transit and at rest. Even if attackers intercept network traffic or gain access to storage systems, encrypted data remains unreadable without the proper decryption keys. This helps ensure data confidentiality and integrity, and can help maintain regulatory compliance.
  • Implement rate limiting. Controlling how often a client can make API requests within a given time frame helps prevent distributed denial-of-service attacks (DDoS), by preventing attackers from overwhelming an API with traffic, and credential stuffing attacks, by slowing down or blocking repeated login attempts.

2. Input and output

API input validation prevents hackers from submitting malicious API requests, while output management protects against data loss by ensuring that the API doesn’t leak sensitive data.

Following are key suggestions for an input and output checklist for improved API security:

  • Validate user input for the Content-Type header and data format. The Content-Type header tells the API what kind of data is being sent, and validating this ensures the API only processes expected and supported formats. Checking data format ensures the structure of the payload matches what the API expects or is intended. These validations can prevent injection attacks by rejecting unexpected or malformed input.
  • Enforce the proper HTTP method for each type of API request. Strict method enforcement ensures the API behaves predictably and protects against misuse or privilege escalation. For instance, GET should only retrieve data, not change it, POST is used for create requests, PUT/PATCH should be used for replace/update requests, and DELETE for delete requests. If these HTTP methods aren’t strictly enforced, malicious users might exploit the API by using an unauthorized method—such as sending a POST or PUT to a GET endpoint—to modify data they should only be able to view.
  • Test for malicious and misconfigured inputs. Testing for injection vulnerabilities and misconfigurations involves actively checking the API to ensure it properly handles and sanitizes user inputs to prevent attacks. SQL injections occur when an attacker submits crafted input that manipulates the database query, potentially exposing, altering, or deleting data, while misconfigured input settings can allow attackers to bypass controls or access sensitive data.
  • Ensure APIs never return sensitive data. Configure the API to avoid exposing confidential or security-critical information in its responses. Credentials and passwords should never appear in API responses, even in error messages, as they could be intercepted or misused. Access tokens, refresh tokens, or session IDs should be protected and only returned in controlled, secure contexts. Fingerprinting headers can reveal information about the server or application stack, which could help attackers craft targeted exploits.
  • Ensure APIs return a proper status code upon request completion. The API should accurately communicate the outcome of a request using standard status codes, which helps ensure clarity, consistency, and secure behavior. These status codes include 200 OK, 400 Bad Request, 401 Unauthorized, and 405 Method Not Allowed, etc.
  • Ensure APIs return generic error messages. Detailed error messages can reveal internal workings of the API, such as database structure, server configuration, or authentication logic. Attackers can use this information to craft targeted exploits, like SQL injection, privilege escalation, or credential brute-forcing.

3. API security testing

API security testing should be continuous—not just performed at initial deployment—because APIs are dynamic and often undergo updates or receive new features. In addition, the threat landscape also evolves, with attackers constantly developing new techniques.

Following are key suggestions for an API security testing checklist:

  • Perform functional testing. Ensure that the core functions of the API work as intended and remain stable after new features are introduced or patches are applied.
  • Test for performance. Load test the API to understand its performance limits and determine how long it will take for the API to recover after an incident.
  • Perform vulnerability scanning and penetration testing. Use an automated API scanner to test the source code and look for runtime errors, and employ periodic penetration testing to identify API vulnerabilities to more sophisticated, new, or novel attacks.

4. Monitoring

API monitoring is critical because it helps detect threats in real time and builds a baseline of “normal” activity, which is necessary for identifying anomalies. Continuous monitoring allows security teams to quickly spot unusual patterns, such as spikes in traffic, repeated failed logins, or abnormal usage of endpoints—often signs of attacks.

An API monitoring checklist should include the following:

  • Use an API discovery tool to continuously monitor for and document new APIs. You can’t secure what you don’t know exists. Developers may deploy or test APIs without formal approval, creating untracked or undocumented endpoints (“shadow APIs”) that can be overlooked by security teams and become easy targets for attackers. Continuous discovery ensures that every exposed API is inventoried, assessed, secured, and governed properly.
  • Keep a centralized catalog of all APIs. Maintaining a single, organized view of the entire API ecosystem simplifies API monitoring with improved visibility, streamlined management, and faster incident response.
  • Log and analyze API traffic. Identify unexpected request volume spikes, which may indicate a DDoS attack, and monitor requests from unexpected geographic regions not typical for legitimate users, which can signal unauthorized access attempts. A spike in failed requests can indicate credential stuffing activity or misconfigured clients repeatedly hitting the API with invalid input.

5. API security standards: OWASP and NIST

The Open Worldwide Application Security Project (OWASP) and the National Institute of Standards and Technology (NIST) both publish best practices for cybersecurity.

6. API security tools

Because of the move to API-first application design and the proliferation of APIs, a comprehensive web application and API protection (WAAP) solution is the strongest defense for API estates. A WAAP provides holistic security and integrates into a single solution a web application firewall (WAF), API discovery and protection services, DDoS mitigation, and bot management.

Key benefits of WAAP include:

  • Enhanced observability. Comprehensive visibility into web application and API traffic via logging, metrics, and real-time analytics empowers security teams to identify anomalies, troubleshoot issues more quickly, and extract actionable insights into user activity and emerging threat patterns.
  • Integrated, comprehensive protection. WAAP combines robust API discovery and visibility with critical enforcement capabilities to control and block API threats, including specific controls to allow/deny lists, rate limit, geo-IP filter, plus custom rule generation. On top of this, WAAP includes layer 7 DoS, data loss prevention (DLP) functionality to detect and mask sensitive data, bot management, and WAF—all within a single solution. This holistic approach ensures APIs are both visible and secured, enabling proper governance and reliable API performance.
  • Centralized policy management. WAAP manages security policies for all web applications and APIs from a single control point—regardless of where the apps are hosted or what their underlying architecture looks like. This centralized approach ensures consistent enforcement, minimizes configuration errors, and simplifies security operations across diverse environments.
  • Streamlined policy management and maintenance. By automating and optimizing policy implementation and updates across applications and APIs, WAAP solutions make applying, refining, and adapting policies to counter evolving threats and application behavior easier across all apps and APIs as appropriate. This reduces manual effort, accelerates responses to emerging exploits, and ensures unified enforcement across systems.
  • Clear audit trails. Detailed logs and audit trails of access, policy changes, and security events are essential for demonstrating compliance with regulatory and industry standards across all threat vectors and components of an applications, including APIs, infrastructure, and data.

API security from F5

F5 offers API security as part of its Web Application and API Protection (WAAP) solutions, which secure APIs across complex hybrid and multicloud fabric environments, reducing complexity while improving operational efficiencies. F5’s WAAP solutions deliver a comprehensive approach to protecting APIs throughout their full lifecycle, from the build and test phases through their release, operations, and monitoring.

F5’s WAAP solutions mitigate risks and improve digital resiliency by continuously defending critical business logic that supports web apps and APIs. They offer universal API visibility by dynamically discovering, continuously monitoring, and detecting threats, while safeguarding API endpoints with critical control and enforcement mechanisms. F5’s WAAP solutions can be deployed in any environment, including on-premises, in the cloud, or as-a-service.