The OWASP API Security Top 10 are mitigated in the development of web APIs.
Ensure API configurations follow security best practices to prevent misconfigurations that expose systems to attacks. For example, enforce secure defaults by disabling unnecessary features, endpoints, and permissions to reduce the attack surface; Restrict API keys, credentials, and sensitive configurations from being exposed in public repositories or logs; Enable security headers and encryption protocols to protect API communications; Regularly audit API configurations, access controls, and cloud settings to identify and remediate security gaps; Continuously monitor API deployments to detect unauthorized changes or misconfigured security settings.
Ensure a secure API lifecycle by implementing a consistent hardening process, configuration reviews, and automated security assessments. For example, establish a repeatable API hardening process that enables fast and secure deployments with locked-down environments; Regularly review and update configurations across orchestration files, API components, and cloud services (e.g., S3 bucket permissions) to minimize security risks; Automate continuous security assessments to detect misconfigurations and enforce security best practices in all environments. Additionally, enforce secure API communication by requiring TLS encryption for all internal and external API interactions; Restrict HTTP methods by explicitly defining allowed verbs and disabling unnecessary ones (e.g., HEAD); Secure browser-exposed APIs by implementing CORS policies and security headers to prevent cross-origin attacks; Limit accepted data formats to only those required for business functions to reduce attack surfaces; Ensure consistent request handling across all HTTP servers (e.g., load balancers, proxies, back-end servers) to prevent desynchronization attacks; Define strict response payload schemas, including error handling, to prevent sensitive system details from being exposed to attackers.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-15-08-01-01 | Implement a repeatable hardening process | Establish a repeatable hardening process that ensures fast and secure deployment of a locked-down environment for the API. This should be part of the standard deployment lifecycle. | Development | DevOps Teams, Security Engineers |
| SSS-02-15-08-01-02 | Review and update configurations | Regularly review and update configurations across the entire API stack, including orchestration files, API components, and cloud services (e.g., S3 bucket permissions) to ensure they follow security best practices. | Development | Security Engineers, DevOps Teams |
| SSS-02-15-08-01-03 | Automate continuous configuration assessment | Implement an automated process to continuously assess the effectiveness of configurations and security settings in all environments, ensuring they remain secure over time. | Post-deployment | Security Engineers, IT Operations |
| SSS-02-15-08-01-04 | Encrypt all api communications | Ensure that all API communications, both internal and public-facing, are transmitted over an encrypted communication channel (e.g., TLS) to protect against data interception and tampering. | Development | Security Engineers, DevOps Teams |
| SSS-02-15-08-01-05 | Restrict http verbs and disable unnecessary ones | Be specific about which HTTP verbs are allowed for API access. Disable any unnecessary HTTP verbs (e.g., HEAD) to reduce the attack surface. | Development | Security Engineers, Backend Developers |
| SSS-02-15-08-01-06 | Implement cors and security headers | For APIs expected to be accessed from browser-based clients, implement a proper Cross-Origin Resource Sharing (CORS) policy and include applicable security headers to protect from common web vulnerabilities. | Development | Web Developers, Security Engineers |
| SSS-02-15-08-01-07 | Restrict incoming content types | Restrict the accepted content types and data formats to only those that are necessary for the business or functional requirements, preventing unexpected or malicious data from being processed. | Development | Backend Developers, Security Engineers |
| SSS-02-15-08-01-08 | Enforce uniform request processing across servers | Ensure that all servers in the HTTP server chain (e.g., load balancers, proxies, backend servers) process incoming requests uniformly to prevent desynchronization issues. | Deployment | IT Operations, DevOps Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1851) OWASP Top 10 API Security Risk OWASP Top 10 API Security Risk |