๐ก๏ธ API Security Scorecard
Interactive checklist to secure your API
Overall Score
0%
Getting Started
Total Items
0
Security Checks
Completed
0
Items Done
Remaining
0
Items Left
๐ Input Validation & Sanitization
Select All
Applicable
Not Applicable
0%
โผ
Implement strict input validation at API entry points
Applicable
N/A
Use allowlists instead of blocklists for input validation
Applicable
N/A
Define accepted characters, patterns, and lengths for each input field
Applicable
N/A
Reject requests that don't match validation rules
Applicable
N/A
Validate Content-Type header for POST/PUT requests
Applicable
N/A
Reject unexpected content types
Applicable
N/A
Implement protection against content-type confusion attacks
Applicable
N/A
Define and enforce data types for each parameter
Applicable
N/A
Set and validate length limits for all string inputs
Applicable
N/A
Restrict character sets based on expected input
Applicable
N/A
Use regex patterns for structured data validation
Applicable
N/A
Validate numeric ranges and boundaries
Applicable
N/A
๐ฅ๏ธ HTML Output Security
Select All
Applicable
Not Applicable
0%
โผ
Implement HTML entity encoding for content within tags
Applicable
N/A
Use JavaScript encoding for data in script contexts
Applicable
N/A
Apply URL encoding for href attributes
Applicable
N/A
Use CSS encoding for style contexts
Applicable
N/A
Use templating engines with auto-escaping enabled
Applicable
N/A
Configure template engine to escape output based on context
Applicable
N/A
Never use raw/unescaped output unless absolutely necessary
Applicable
N/A
Test all dynamic content rendering paths
Applicable
N/A
Implement strict CSP headers on all HTML responses
Applicable
N/A
Set default-src 'self' as baseline in CSP
Applicable
N/A
Restrict script-src to trusted sources only
Applicable
N/A
Set object-src 'none' to prevent plugin execution
Applicable
N/A
๐ HTTP Security Headers
Select All
Applicable
Not Applicable
0%
โผ
Set X-Content-Type-Options: nosniff on all responses
Applicable
N/A
Add X-Frame-Options: DENY or SAMEORIGIN
Applicable
N/A
Include X-XSS-Protection: 1; mode=block
Applicable
N/A
Configure Referrer-Policy: strict-origin-when-cross-origin
Applicable
N/A
Set appropriate Cache-Control headers for sensitive content
Applicable
N/A
Enforce HTTPS-only communication
Applicable
N/A
Implement Strict-Transport-Security header
Applicable
N/A
Configure secure TLS settings (TLS 1.2+)
Applicable
N/A
โก Request Processing Security
Select All
Applicable
Not Applicable
0%
โผ
Implement IP-based rate limiting
Applicable
N/A
Set different limits for different endpoints based on sensitivity
Applicable
N/A
Consider CAPTCHA integration for suspicious traffic
Applicable
N/A
Monitor and log rate limit violations
Applicable
N/A
Set maximum request payload sizes
Applicable
N/A
Configure reasonable request timeouts
Applicable
N/A
Implement connection limits per IP
Applicable
N/A
Monitor resource usage and implement alerts
Applicable
N/A
๐ Input-Specific Validation
Select All
Applicable
Not Applicable
0%
โผ
Use URL parsing libraries instead of regex for URL validation
Applicable
N/A
Validate and restrict URL schemes (http/https only)
Applicable
N/A
Check for URL redirection attacks
Applicable
N/A
Use whitelist-based HTML sanitizers
Applicable
N/A
Remove or escape dangerous HTML elements and attributes
Applicable
N/A
Test sanitization with known XSS payloads
Applicable
N/A
Validate file types by content, not just extension
Applicable
N/A
Implement file size limits
Applicable
N/A
Scan uploaded files for malware
Applicable
N/A
Serve uploaded files from separate domain/subdomain
Applicable
N/A
Use strict JSON/XML parsers
Applicable
N/A
Validate against predefined schemas
Applicable
N/A
๐๏ธ Database & Backend Security
Select All
Applicable
Not Applicable
0%
โผ
Use parameterized queries or prepared statements
Applicable
N/A
Never concatenate user input directly into SQL queries
Applicable
N/A
Use ORM methods that prevent injection
Applicable
N/A
Implement database connection security
Applicable
N/A
Encrypt sensitive data at rest
Applicable
N/A
Use secure database configurations
Applicable
N/A
Implement proper access controls
Applicable
N/A
Regular security updates for database software
Applicable
N/A
๐ค Response Security
Select All
Applicable
Not Applicable
0%
โผ
Set proper Content-Type: application/json headers
Applicable
N/A
Encode HTML entities in JSON responses that might be rendered
Applicable
N/A
Prevent JSON hijacking with proper headers
Applicable
N/A
Validate JSON structure before sending
Applicable
N/A
Return generic error messages to clients
Applicable
N/A
Log detailed errors server-side for debugging
Applicable
N/A
Never expose system information in error responses
Applicable
N/A
Implement consistent error response format
Applicable
N/A
๐งช Testing & Monitoring
Select All
Applicable
Not Applicable
0%
โผ
Perform regular XSS testing with various payloads
Applicable
N/A
Test SQL injection vulnerabilities
Applicable
N/A
Conduct CSRF testing
Applicable
N/A
Test input validation bypasses
Applicable
N/A
Perform automated security scanning
Applicable
N/A
Log all security-relevant events
Applicable
N/A
Monitor for suspicious patterns and attacks
Applicable
N/A
Set up alerts for security violations
Applicable
N/A
Regular review of security logs
Applicable
N/A
Implement incident response procedures
Applicable
N/A
๐ Deployment & Maintenance
Select All
Applicable
Not Applicable
0%
โผ
Remove debug information from production responses
Applicable
N/A
Disable unnecessary HTTP methods
Applicable
N/A
Configure web server security settings
Applicable
N/A
Regular security updates for all dependencies
Applicable
N/A
Document all security measures implemented
Applicable
N/A
Train development team on secure coding practices
Applicable
N/A
Establish security review process for code changes
Applicable
N/A
Create incident response documentation
Applicable
N/A
Export Your Progress
๐ Export to CSV
๐ Export to JSON
๐จ๏ธ Print Report