Security
The security of any API is important to producer and consumer, and no consumer should be using any 3rd party API platform that does not clearly communicate and demonstrate an API is secure. API security is a foundational business building block in any API ecosystem when it comes to building trust and keeping consumers integrated with an API.
Also known as: InfoSec, Application Security, AppSec, API Security
Example
Standards
- IETF RFC 9116 — A File Format to Aid in Security Vulnerability Disclosure (security.txt)
- OWASP OWASP API Security Top 10 (2023)
- OWASP OWASP Application Security Verification Standard (ASVS)
- OWASP OWASP Software Assurance Maturity Model (SAMM)
- ISO ISO/IEC 27001 — Information Security Management Systems
- ISO ISO/IEC 29147 — Vulnerability Disclosure
- ISO ISO/IEC 30111 — Vulnerability Handling Processes
- NIST NIST SP 800-53 — Security and Privacy Controls
- NIST NIST SP 800-218 — Secure Software Development Framework (SSDF)
- PCI SSC PCI DSS v4.0
- AICPA SOC 2 — Trust Services Criteria
- OpenSSF SLSA — Supply-chain Levels for Software Artifacts
- CNCF in-toto
- MITRE CVE — Common Vulnerabilities and Exposures
- MITRE CWE — Common Weakness Enumeration
- FIRST CVSS v4.0 — Common Vulnerability Scoring System
- IETF RFC 9325 — Recommendations for Secure Use of TLS and DTLS
- IETF RFC 6797 — HTTP Strict Transport Security (HSTS)
HTTP Headers
| Header | Direction | Spec | Description |
|---|---|---|---|
Strict-Transport-Security |
response | RFC 6797 | Enforces HTTPS for subsequent requests to the host. |
Content-Security-Policy |
response | W3C CSP Level 3 | Restricts which resources a UA may load; applies to API-backed web surfaces. |
X-Content-Type-Options |
response | WHATWG Fetch (nosniff) | Disables MIME-type sniffing. |
Referrer-Policy |
response | W3C Referrer Policy | Controls Referer header leakage. |
Cross-Origin-Resource-Policy |
response | WHATWG Fetch | Restricts cross-origin embedding of API responses. |
Status Codes
400 Bad Request— RFC 9110 §15.5.1 — Often returned for malformed/unsafe input rejected by security controls.403 Forbidden— RFC 9110 §15.5.4 — Request blocked by WAF, IP allowlist, or policy.429 Too Many Requests— RFC 6585 §4 — Anti-abuse / rate-limiting response.451 Unavailable For Legal Reasons— RFC 7725 — Resource blocked due to legal or regulatory demand.
Well-Known Paths
/.well-known/security.txt— RFC 9116 — Machine-readable contact and policy for vulnerability disclosure.
OpenAPI Expression
-
components.securitySchemes(OpenAPI 3.x) — Declares schemes that protect operations. -
security(OpenAPI 3.x) — Operation- or document-level security requirement. -
servers[].url(OpenAPI 3.x) — HTTPS base URLs are a baseline security signal.
Link Relations
vulnerability-disclosure— Commonly surfaced via security.txt rather than IANA link relation.
Governance Rules
owasp:api1:2023-no-integer-id(Vacuum / Spectral OWASP ruleset) — BOLA — avoid exposing raw integer object IDs without authorization checks.owasp:api2:2023-no-http-basic(Vacuum / Spectral OWASP ruleset) — Discourages HTTP Basic auth in modern APIs.owasp:api3:2023-no-additionalProperties(Vacuum / Spectral OWASP ruleset) — Schemas should set additionalProperties=false to prevent mass assignment.owasp:api4:2023-rate-limit(Vacuum / Spectral OWASP ruleset) — Operations should advertise rate-limit headers.owasp:api8:2023-define-error-responses-401(Vacuum / Spectral OWASP ruleset) — Define a 401 response for protected operations.
Risk & Compliance
OWASP:
- OWASP API Security Top 10 (2023): API1 BOLA, API2 Broken Authentication, API3 BOPLA, API4 Unrestricted Resource Consumption, API8 Security Misconfiguration, API9 Improper Inventory Management, API10 Unsafe Consumption of APIs
- OWASP Top 10 (web)
Compliance:
- SOC 2 — Common Criteria (CC6 Logical Access, CC7 System Operations)
- ISO/IEC 27001 Annex A controls
- PCI DSS v4 — applicable when handling cardholder data
- HIPAA Security Rule — 45 CFR §164.308–312
- GDPR Art. 32 — security of processing
- NIST SP 800-218 SSDF — secure SDLC practices
Security: Treat the API surface as the security boundary. Combine transport security (TLS 1.2+/1.3, HSTS), strong authN/Z, input validation, output encoding, rate limiting, secret management, dependency/SBOM scanning, signed builds (SLSA), runtime monitoring, and a published vulnerability-disclosure policy (RFC 9116) with a clear SLA for triage and remediation.
Tools
- OWASP ZAP — DAST (Apache-2.0)
- 42Crunch API Security Audit — API security platform
- Snyk — SCA / SAST
- Trivy — Vulnerability scanner (Apache-2.0)
- Sigstore (cosign) — Supply-chain signing (Apache-2.0)
- securitytxt.org — Generator (RFC 9116)
Suggested Metrics
mean_time_to_remediate— Average time from vulnerability report to fix being deployed.critical_cvss_open_count— Count of open CVSS 9.0+ findings across the API surface.tls_handshake_failure_rate— Rate of TLS handshake failures; signals misconfiguration or deprecated client suites.waf_block_rate— Share of traffic blocked by WAF/edge rules.secrets_in_repo_findings— Detected leaked credentials in source repos (push-protection / scanning hits).
Example Implementations
- GitHub — Publishes security.txt, runs a coordinated VDP, signs releases.
- Stripe — Detailed security overview, PCI DSS Level 1, public bug bounty.
- Google — Google VRP, OSS-Fuzz, SLSA-aligned build provenance.
- Microsoft Graph — MSRC disclosure process, SDL, broad compliance attestations.
Related Properties
Tags
- Security
- Trust