Your API Is More Exposed Than You Think
Every web application you build is essentially a collection of APIs. And every API is a potential entry point for attackers. After reviewing dozens of codebases, here are the most common security mistakes I see.
Mistake #1: No Rate Limiting
Without rate limiting, anyone can hammer your API with thousands of requests per second. This leads to:
- Denial of service
- Brute force attacks on login endpoints
- Scraping your data
Fix it:
// Express rate limiting
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests
});
app.use('/api/', limiter);
Mistake #2: Exposing Sensitive Data
I once reviewed an API that returned the user's password hash in the response. Yes, really.
Fix it:
- Never return passwords, tokens, or internal IDs
- Use response DTOs to control what gets sent
- Implement field-level access control
Mistake #3: Missing Input Validation
Trust nothing that comes from the client. Ever.
Fix it:
- Validate all input on the server side
- Use libraries like Zod or Joi for schema validation
- Sanitize inputs to prevent SQL injection and XSS
Mistake #4: Broken Authentication
Common issues:
- Tokens that never expire
- No refresh token rotation
- Storing tokens in localStorage (vulnerable to XSS)
Fix it:
- Use short-lived access tokens (15 minutes)
- Implement refresh token rotation
- Store tokens in HTTP-only cookies
Mistake #5: No CORS Configuration
Leaving CORS wide open (Access-Control-Allow-Origin: *) means any website can call your API.
Fix it:
- Whitelist specific domains
- Only allow necessary HTTP methods
- Set proper headers
Security Checklist for Every API
- [ ] Rate limiting on all endpoints
- [ ] Input validation and sanitization
- [ ] Authentication and authorization on every route
- [ ] HTTPS everywhere
- [ ] CORS properly configured
- [ ] Error messages don't leak internal details
- [ ] Logging and monitoring for suspicious activity
- [ ] Regular dependency updates
- [ ] API versioning
- [ ] Request size limits
Tools I Recommend
- OWASP ZAP: Free security scanning
- Snyk: Dependency vulnerability scanning
- Helmet.js: Security headers for Express
- JWT.io: Debug and verify tokens
Security is not a feature you add later. It's a mindset you build with from day one.





































































































































































































































