api-security
Safeguard articles tagged "api-security" — guides, analysis, and best practices for software supply chain and application security.
100 articles
How to set up API rate limiting
A practical, step-by-step guide to setting up API rate limiting — gateway and app-layer configs, algorithm choices, per-endpoint tuning, and how to verify it actually blocks abuse.
What is Credential Rotation
Credential rotation limits how long a leaked API key, password, or token stays valid. Here's how it works, how often to do it, and why automation matters.
Missing Rate Limiting: The OWASP API Security Risk Explained
A no rate limiting vulnerability sits quietly in most APIs until it enables brute force, credential stuffing, or resource exhaustion; here is how to spot it and fix it before it does.
Third-party risk assessment for insurtech SaaS platforms
A practical playbook for running an insurtech third-party risk assessment across vendors, APIs, and integrations before they touch policyholder data.
Insecure direct object reference (IDOR) explained
IDOR lets attackers access other users' data by editing an ID in a request. See how it broke USPS, Panera, and First American — and how to actually fix it.
Broken access control explained
Broken access control has topped OWASP's Top 10 since 2021. See real breaches, common patterns like IDOR, and how to detect and fix them.
How model extraction attacks steal proprietary AI model b...
Model extraction attacks let adversaries clone proprietary AI models through ordinary API queries alone. Here's how the attacks work, why they evade detection, and how to stop them.
Business logic vulnerabilities explained
A business logic vulnerability breaks your app's rules, not its code. See how Starbucks, Shopify, and the DAO were exploited -- and how to detect and prevent it.
Mass assignment vulnerabilities explained
Mass assignment lets attackers write privileged fields like "role":"admin" via ordinary API calls. Learn how it works, real CVEs, and fixes.
GraphQL injection and introspection abuse explained
How GraphQL injection, introspection abuse, and alias-based DoS attacks expose APIs to data leaks—illustrated by the 2021 Peloton breach.
JWT algorithm confusion / none-algorithm bypass explained
How attackers forge JWTs via RS256/HS256 key confusion and the alg:none bypass, with real CVEs, detection steps, and defenses.
Best API security testing tools
A practical, no-hype comparison of API security testing tools — from OWASP ZAP to Salt Security — covering REST/GraphQL coverage, posture management, and real tradeoffs.