API
Security

Use a code review process and disregard self-approval.

Ensure that all components of your services are statically scanned by AV software before pushing to production, including vendor libraries and other dependencies.

Design a rollback solution for deployments.

Audit your design and implementation with unit/integration tests coverage.

Send X-Frame-Options: deny header.

Send Content-Security-Policy: default-src 'none' header.

Remove fingerprinting headers - X-Powered-By, Server, X-AspNet-Version, etc.

Force content-type for your response. If you return application/json, then your content-type response is application/json.

Don't return sensitive data like credentials, Passwords, or security tokens.

Return the proper status code according to the operation completed. (e.g. 200 OK, 400 Bad Request, 401 Unauthorized, 405 Method Not Allowed, etc.).

Send X-Content-Type-Options: nosniff header.

User own resource ID should be avoided. Use /me/orders instead of /user/654321/orders.