Safeguard
Tag

api-security

Safeguard articles tagged "api-security" — guides, analysis, and best practices for software supply chain and application security.

99 articles

Kubernetes Security

Broken object-level authorization in Kubernetes integrations: CVE-2023-1065

One leaked Integration ID was enough to pollute a Snyk customer's findings — CVE-2023-1065 shows why possession of an identifier is not authorization.

Jul 14, 20266 min read
Application Security

API gateway security: enforcing authN/authZ and rate limits at the edge

A single unauthenticated API endpoint exposed 37 million T-Mobile accounts in 2023. Edge-enforced authZ and identity-aware rate limits are how you prevent the repeat.

Jul 13, 20266 min read
Application Security

API security fundamentals: mapping the OWASP API Top 10 to real tests

OWASP's 2023 API Security Top 10 lists 10 risk categories — most start with a single curl request. Here's how to test and fix each one.

Jul 13, 202611 min read
Application Security

Java DTOs for secure data handling

A single @RequestBody bound to a JPA entity can let attackers set fields like isAdmin — DTOs close that gap by design, not by discipline.

Jul 12, 20266 min read
Best Practices

Webhook security best practices: HMAC signing, replay protection, and IP allowlisting

Stripe gives webhook signatures a 5-minute tolerance window; GitHub signs with HMAC-SHA256. Here's how to build inbound and outbound webhooks that survive both.

Jul 11, 20267 min read
Application Security

How to Discover Shadow and Undocumented APIs Before Attackers Do

A single undocumented API endpoint exposed 10 million Optus records in 2022. Here's how to find shadow APIs in production and assess their real exposure.

Jul 10, 20266 min read
Application Security

A primer on the OWASP API Security Top 10 and how to test for it

The OWASP API Security Top 10 dropped Injection entirely in its 2023 update and added SSRF — most REST and GraphQL teams still test for the old list.

Jul 10, 20267 min read
Application Security

Securing gRPC APIs: mTLS, Interceptors, and Input Validation

CVE-2023-44487 knocked grpc-go services offline with a Rapid Reset flood — a reminder that gRPC ships fast, insecure by default, and needs hardening at every layer.

Jul 10, 20266 min read
Security Guides

API Authentication Best Practices (2026)

How you authenticate API clients decides how bad a leaked credential gets. Here is how to choose and harden API keys, bearer tokens, JWTs, and mTLS in 2026.

Jul 8, 20266 min read
Buyer's Guides

Best API Security Tools in 2026: An Honest Buyer's Guide

A balanced 2026 comparison of the leading API security tools — Salt Security, Akamai API Security, Traceable, 42Crunch, Wallarm, and StackHawk — with an honest look at where Safeguard fits.

Jul 8, 20266 min read
Application Security

The Security Implications of Misconfigured CORS in Node.js APIs

One line of Express middleware — reflecting Origin back with credentials: true — turns CORS from a browser protection into an authenticated data-exfiltration channel.

Jul 8, 20266 min read
Application Security

A practical REST API hardening checklist

OWASP's 2023 API Security Top 10 still ranks broken object-level authorization as the #1 risk — here's a concrete checklist for authn, rate limiting, and input validation.

Jul 8, 20266 min read
api-security — Safeguard Blog