api-security
Safeguard articles tagged "api-security" — guides, analysis, and best practices for software supply chain and application security.
100 articles
Verifying webhook signatures correctly
Stripe gives you a 5-minute replay window and GitHub a raw-body HMAC — but most outages trace back to one bug: verifying JSON after it's been re-serialized.
REST API Security Best Practices: The OWASP API Top 10 in Practice
Most API breaches aren't exotic — they're broken object-level authorization and missing rate limits. A practical walk through the OWASP API Security Top 10.
GraphQL API Security: Introspection, Depth Limits, and Authorization
GraphQL's flexibility is its attack surface. Nested queries, introspection, and per-field authorization all fail differently than REST. Here's how to secure them.
CORS Misconfiguration: How to Prevent It
A too-generous CORS policy can let a malicious site read authenticated responses from your API. Reflecting the Origin with credentials is the classic mistake.
JWT Security Vulnerabilities and How to Avoid Them
JSON Web Tokens are only as safe as how you verify them. The alg:none trick, RS256-to-HS256 confusion, and weak secrets have all led to full auth bypass.
Mass Assignment Vulnerability: How to Prevent It
Mass assignment lets attackers set fields you never meant to expose — like isAdmin or accountBalance — by adding them to a request body. Here is the fix.
FastAPI Security Best Practices: A 2026 Guide
FastAPI's type system catches a whole class of bugs for free, but async I/O, JWT handling, and dependency injection introduce risks that Pydantic will not save you from.
What Is IDOR (Insecure Direct Object Reference)?
IDOR lets an attacker swap an ID in a request and read or change data that belongs to someone else. Here is how it works and how to shut it down.
API security and the rise of shadow/zombie APIs
Shadow and zombie APIs caused breaches at Optus, T-Mobile, and Peloton. Here's why code-scanning tools miss them and what API security best practices actually work.
Best DAST Tools in 2026: Web, API, and CI/CD Scanning Compared
An honest guide to the best DAST tools in 2026 — from OWASP ZAP and Burp Suite to Invicti, StackHawk, and Escape — with clear guidance on which fits web apps, APIs, and CI/CD-native pipelines, and where DAST stops and supply chain security begins.
OWASP API Security Top 10 risks explained
The OWASP API Security Top 10 ranks BOLA, broken auth, SSRF, and 7 more API risks behind breaches like Optus and T-Mobile — explained with real incidents.
API Security Posture Management, Explained
API security posture management inventories every API you actually have, then continuously checks it against the rules you meant to enforce.