api-security
Safeguard articles tagged "api-security" — guides, analysis, and best practices for software supply chain and application security.
99 articles
Broken object-level authorization in Kubernetes integrations: CVE-2023-1065
One leaked Integration ID was enough to pollute a Snyk customer's findings — CVE-2023-1065 shows why possession of an identifier is not authorization.
API gateway security: enforcing authN/authZ and rate limits at the edge
A single unauthenticated API endpoint exposed 37 million T-Mobile accounts in 2023. Edge-enforced authZ and identity-aware rate limits are how you prevent the repeat.
API security fundamentals: mapping the OWASP API Top 10 to real tests
OWASP's 2023 API Security Top 10 lists 10 risk categories — most start with a single curl request. Here's how to test and fix each one.
Java DTOs for secure data handling
A single @RequestBody bound to a JPA entity can let attackers set fields like isAdmin — DTOs close that gap by design, not by discipline.
Webhook security best practices: HMAC signing, replay protection, and IP allowlisting
Stripe gives webhook signatures a 5-minute tolerance window; GitHub signs with HMAC-SHA256. Here's how to build inbound and outbound webhooks that survive both.
How to Discover Shadow and Undocumented APIs Before Attackers Do
A single undocumented API endpoint exposed 10 million Optus records in 2022. Here's how to find shadow APIs in production and assess their real exposure.
A primer on the OWASP API Security Top 10 and how to test for it
The OWASP API Security Top 10 dropped Injection entirely in its 2023 update and added SSRF — most REST and GraphQL teams still test for the old list.
Securing gRPC APIs: mTLS, Interceptors, and Input Validation
CVE-2023-44487 knocked grpc-go services offline with a Rapid Reset flood — a reminder that gRPC ships fast, insecure by default, and needs hardening at every layer.
API Authentication Best Practices (2026)
How you authenticate API clients decides how bad a leaked credential gets. Here is how to choose and harden API keys, bearer tokens, JWTs, and mTLS in 2026.
Best API Security Tools in 2026: An Honest Buyer's Guide
A balanced 2026 comparison of the leading API security tools — Salt Security, Akamai API Security, Traceable, 42Crunch, Wallarm, and StackHawk — with an honest look at where Safeguard fits.
The Security Implications of Misconfigured CORS in Node.js APIs
One line of Express middleware — reflecting Origin back with credentials: true — turns CORS from a browser protection into an authenticated data-exfiltration channel.
A practical REST API hardening checklist
OWASP's 2023 API Security Top 10 still ranks broken object-level authorization as the #1 risk — here's a concrete checklist for authn, rate limiting, and input validation.