API
Security
Check your api security using below list
scroll
Processing
Don't auto-increment IDs. Use UUID instead.
Processing
If you are parsing XML files, make sure entity parsing is not enabled to avoid XXE (XML external entity attack).
Processing
If you are parsing XML files, make sure entity expansion is not enabled to avoid Billion Laughs/XML bomb via exponential entity expansion attack.
Processing
Use a CDN for file uploads.
Processing
If you are dealing with huge amount of data, use Workers and Queues to process as much as possible in background and return response fast to avoid HTTP Blocking.
Processing
Do not forget to turn the DEBUG mode OFF.
Processing
Check if all the endpoints are protected behind authentication to avoid broken authentication process.
Input
Validate content-type on request Accept header (Content Negotiation) to allow only your supported format (e.g. application/xml, application/json, etc.) and respond with 406 Not Acceptable response if not matched.
Input
Validate content-type of posted data as you accept (e.g. application/x-www-form-urlencoded, multipart/form-data, application/json, etc.).
Input
Validate user input to avoid common vulnerabilities (e.g. XSS, SQL-Injection, Remote Code Execution, etc.).
Input
Don't use any sensitive data (credentials, Passwords, security tokens, or API keys) in the URL, but use standard Authorization header.
Input
Use an API Gateway service to enable caching, Rate Limit policies (e.g. Quota, Spike Arrest, or Concurrent Rate Limit) and deploy APIs resources dynamically.
An error occurred. Try again later
Your content has been submitted