API Security Audit

api-security · v1.1.0 · paid

Comprehensive security audit for REST and GraphQL APIs, covering authentication, authorization, input validation, and protection against OWASP API Top 10 threats.

Authentication & Authorization

auth · weight 0.3

All API endpoints require authentication
ab-000376
critical
Authorization enforces object-level access control
ab-000377
critical
Authentication tokens have a defined expiration time
ab-000378
high
Refresh tokens are rotated on use
ab-000379
high
Role-based access control enforced
ab-000380
high

Input Validation & Injection Prevention

input-validation · weight 0.28

Request bodies and query parameters validated against a schema
ab-000381
high
All database queries use parameterized queries or ORMs
ab-000382
high
CORS headers configured with specific allowed origins
ab-000383
medium
Content-Type header validated
ab-000384
medium
Request body size limits enforced
ab-000385
medium
SSRF prevention on outbound requests
ab-002397
medium

Rate Limiting & Abuse Prevention

abuse-prevention · weight 0.22

Rate limiting enforced per authenticated user
ab-000387
medium
IP-based rate limiting on unauthenticated endpoints
ab-000388
low
NoSQL queries use safe type-safe constructors
ab-000389
low
GraphQL introspection disabled in production
ab-000390
low
Pagination limits enforced
ab-000391
low
Batch endpoint item limits enforced
ab-000392
low
GraphQL query depth limited
ab-000393
low

API Design & Documentation Security

design-security · weight 0.2

All API traffic served over HTTPS/TLS
ab-000394
low
Error responses do not leak stack traces or internal details
ab-000395
low
Webhook signatures verified
ab-000396
info
API access audit-logged
ab-000397
info
API documentation accessible only to authorized users
ab-000398
info
TLS certificates validated for outbound connections
ab-000399
info