Safeguard
Tag

api-security

Safeguard articles tagged "api-security" — guides, analysis, and best practices for software supply chain and application security.

100 articles

Application Security

Verifying webhook signatures correctly

Stripe gives you a 5-minute replay window and GitHub a raw-body HMAC — but most outages trace back to one bug: verifying JSON after it's been re-serialized.

Jul 8, 20267 min read
Security Guides

REST API Security Best Practices: The OWASP API Top 10 in Practice

Most API breaches aren't exotic — they're broken object-level authorization and missing rate limits. A practical walk through the OWASP API Security Top 10.

Jul 6, 20265 min read
Security Guides

GraphQL API Security: Introspection, Depth Limits, and Authorization

GraphQL's flexibility is its attack surface. Nested queries, introspection, and per-field authorization all fail differently than REST. Here's how to secure them.

Jul 5, 20265 min read
Vulnerability Guides

CORS Misconfiguration: How to Prevent It

A too-generous CORS policy can let a malicious site read authenticated responses from your API. Reflecting the Origin with credentials is the classic mistake.

Jul 4, 20265 min read
Vulnerability Guides

JWT Security Vulnerabilities and How to Avoid Them

JSON Web Tokens are only as safe as how you verify them. The alg:none trick, RS256-to-HS256 confusion, and weak secrets have all led to full auth bypass.

Jul 3, 20265 min read
Vulnerability Guides

Mass Assignment Vulnerability: How to Prevent It

Mass assignment lets attackers set fields you never meant to expose — like isAdmin or accountBalance — by adding them to a request body. Here is the fix.

Jul 2, 20265 min read
Security Guides

FastAPI Security Best Practices: A 2026 Guide

FastAPI's type system catches a whole class of bugs for free, but async I/O, JWT handling, and dependency injection introduce risks that Pydantic will not save you from.

Jul 2, 20265 min read
Vulnerability Guides

What Is IDOR (Insecure Direct Object Reference)?

IDOR lets an attacker swap an ID in a request and read or change data that belongs to someone else. Here is how it works and how to shut it down.

Jul 1, 20266 min read
Application Security

API security and the rise of shadow/zombie APIs

Shadow and zombie APIs caused breaches at Optus, T-Mobile, and Peloton. Here's why code-scanning tools miss them and what API security best practices actually work.

Jun 26, 20267 min read
Buyer's Guides

Best DAST Tools in 2026: Web, API, and CI/CD Scanning Compared

An honest guide to the best DAST tools in 2026 — from OWASP ZAP and Burp Suite to Invicti, StackHawk, and Escape — with clear guidance on which fits web apps, APIs, and CI/CD-native pipelines, and where DAST stops and supply chain security begins.

Jun 6, 20268 min read
Application Security

OWASP API Security Top 10 risks explained

The OWASP API Security Top 10 ranks BOLA, broken auth, SSRF, and 7 more API risks behind breaches like Optus and T-Mobile — explained with real incidents.

Jun 4, 20268 min read
AppSec

API Security Posture Management, Explained

API security posture management inventories every API you actually have, then continuously checks it against the rules you meant to enforce.

Jun 2, 20265 min read
api-security (Page 2) — Safeguard Blog