api-security
Safeguard articles tagged "api-security" — guides, analysis, and best practices for software supply chain and application security.
100 articles
The OWASP Top 10 API Security Risks, Explained
The OWASP Top 10 API Security Risks reorder the classic web vulnerability list around how APIs actually get broken — object-level authorization failures beat injection as the most common real-world root cause.
Webhooks Security: A Practical Checklist
Webhooks security is easy to get wrong because the endpoint has to trust an unauthenticated inbound request by default — here's the checklist that closes the common gaps.
BOLA: Broken Object Level Authorization, Explained
A bola vulnerability lets one authenticated user reach another user's data just by changing an ID in a request — no exploit code required, which is exactly why scanners miss it so often.
Application Layer Security: What It Covers (and What It Doesn't)
Application layer security protects the code, logic, and APIs at the top of the OSI stack, but it's easy to confuse it with network or infrastructure security controls that solve a different problem.
API Security Scanning: What Good Tools Actually Catch
API security scanning explained in terms of the specific failure classes it catches, from broken object-level authorization to shadow endpoints, and why generic web scanners miss most of them.
The OWASP API Security Top 10: Each Risk Explained
The OWASP API Top 10 is a ranked list of the most common API-specific vulnerability classes, from broken object level authorization to unsafe consumption of third-party APIs.
What Is a JWT (JSON Web Token)
A JWT is a compact, signed token that carries claims like who a user is between parties. Learn its three parts, how signing works, and the common security pitfalls.
GraphQL Supply Chain Security Considerations
Supply chain risks specific to GraphQL stacks: Apollo, graphql-js, persisted queries, introspection, and transitive risk in gateway federation.
Fastify Security Posture in 2024
Fastify hit version 5.0 in September 2024 with a slimmer core, a plugin model that encourages correctness, and a security track record that genuinely distinguishes it from the Express crowd. Here is what I have learned auditing Fastify apps this year.
What Is OAuth
OAuth lets one app access your data in another without ever seeing your password. Learn how delegated access works, what tokens and scopes do, and why it matters.
Open Banking API Supply Chain Security
Open banking depends on a tangle of SDKs, certificate authorities, and directory services. What PSD2, the UK's Open Banking Standard, and the emerging US framework mean for supply chain security.
FastAPI Supply Chain Security: A Working Guide
FastAPI's dependency surface is deceptively large. Here is how to lock it down in practice, covering Starlette, Pydantic, Uvicorn, and the plugins you likely missed.