Safeguard
Tag

api-security

Safeguard articles tagged "api-security" — guides, analysis, and best practices for software supply chain and application security.

100 articles

AppSec

The OWASP Top 10 API Security Risks, Explained

The OWASP Top 10 API Security Risks reorder the classic web vulnerability list around how APIs actually get broken — object-level authorization failures beat injection as the most common real-world root cause.

Sep 9, 20256 min read
AppSec

Webhooks Security: A Practical Checklist

Webhooks security is easy to get wrong because the endpoint has to trust an unauthenticated inbound request by default — here's the checklist that closes the common gaps.

Aug 22, 20255 min read
Vulnerabilities

BOLA: Broken Object Level Authorization, Explained

A bola vulnerability lets one authenticated user reach another user's data just by changing an ID in a request — no exploit code required, which is exactly why scanners miss it so often.

Jul 24, 20255 min read
AppSec

Application Layer Security: What It Covers (and What It Doesn't)

Application layer security protects the code, logic, and APIs at the top of the OSI stack, but it's easy to confuse it with network or infrastructure security controls that solve a different problem.

Jun 25, 20255 min read
AppSec

API Security Scanning: What Good Tools Actually Catch

API security scanning explained in terms of the specific failure classes it catches, from broken object-level authorization to shadow endpoints, and why generic web scanners miss most of them.

Jun 24, 20255 min read
AppSec

The OWASP API Security Top 10: Each Risk Explained

The OWASP API Top 10 is a ranked list of the most common API-specific vulnerability classes, from broken object level authorization to unsafe consumption of third-party APIs.

Jun 19, 20255 min read
Concepts

What Is a JWT (JSON Web Token)

A JWT is a compact, signed token that carries claims like who a user is between parties. Learn its three parts, how signing works, and the common security pitfalls.

Oct 15, 20246 min read
DevSecOps

GraphQL Supply Chain Security Considerations

Supply chain risks specific to GraphQL stacks: Apollo, graphql-js, persisted queries, introspection, and transitive risk in gateway federation.

Sep 30, 20245 min read
Best Practices

Fastify Security Posture in 2024

Fastify hit version 5.0 in September 2024 with a slimmer core, a plugin model that encourages correctness, and a security track record that genuinely distinguishes it from the Express crowd. Here is what I have learned auditing Fastify apps this year.

Sep 20, 20247 min read
Concepts

What Is OAuth

OAuth lets one app access your data in another without ever seeing your password. Learn how delegated access works, what tokens and scopes do, and why it matters.

Aug 20, 20246 min read
Regulatory Compliance

Open Banking API Supply Chain Security

Open banking depends on a tangle of SDKs, certificate authorities, and directory services. What PSD2, the UK's Open Banking Standard, and the emerging US framework mean for supply chain security.

Jul 18, 20247 min read
Best Practices

FastAPI Supply Chain Security: A Working Guide

FastAPI's dependency surface is deceptively large. Here is how to lock it down in practice, covering Starlette, Pydantic, Uvicorn, and the plugins you likely missed.

Jul 5, 20246 min read
api-security (Page 7) — Safeguard Blog