Month: September 2025

Checklist for Securing Your API – Lessons from my own scars

API Security Scorecard

TLDR:  Try the Interactive API Security Checklist

 

“How I Learned to Stop Worrying and Love Security Checklists”

because I loved Dr Strangelove

 

After years of building APIs (both inside and outside) AWS and watching them get pwned in creative ways, I’ve learned one harsh truth: your API security is only as good as your worst oversight.

Remember that time you forgot to validate file uploads and someone uploaded a 500GB “image”? Or when you trusted user input and got a lovely SQL injection for Christmas? Yeah, me too. 🎄💀

The Problem with API Security

Devs often approach API security like this:

  1. “Let’s add some input validation”
  2. “HTTPS should be enough, right?”
  3. Gets hacked
  4. “Oh.”

I’ve been there. We all have. The issue isn’t that we don’t care about security—it’s that security is boring and easy to forget. You’re focused on making your endpoints work, not on the 47 different ways they can be exploited.

Enter: The Interactive Security Scorecard

So I built this: Interactive API Security Checklist

It’s basically a gamified security audit. You check off what you’ve implemented, mark irrelevant items as “N/A” (because not every API needs file upload security), and watch your security score climb toward 100%.

Key features:

  • 86 security checks across 9 categories
  • Smart scoring that ignores N/A items
  • “Select All” for when you’re feeling confident
  • Export your progress (for those compliance meetings)

Why This Actually Works

Unlike those 200-page security documents that make you want to switch careers, this checklist:

  • Fits your workflow: Check items as you implement them
  • Covers the basics: Input validation, headers, rate limiting—the stuff that stops 90% of attacks
  • Admits reality: Some checks don’t apply to your API, and that’s fine

My Reality Check

Working with large-scale, complex systems and years spent with Red/Blue team taught me that security isn’t about being perfect—it’s about not being the lowest-hanging fruit. Most attacks succeed because of basic oversights: missing rate limits, unescaped output, or trusting Content-Type headers.

This checklist covers those “wait, I was supposed to do WHAT?” moments that happen at 2 AM when your API is getting hammered by bots.

The Bottom Line

Security doesn’t have to be overwhelming. Start with the basics, use tools that make it easier, and stop pretending you’ll remember everything without a checklist.

Your future self (and your incident response team) will thank you.


Pro tip: Bookmark the checklist and run through it before every deployment. It takes 10 minutes and beats explaining to your manager why the API is down because someone figured out your error messages leak database schemas.

→ Try the Interactive API Security Checklist