Unauthenticated API endpoints are the most direct path to a data breach. OWASP API Security Top 10 2023 API2 (Broken Authentication) consistently ranks auth bypass as a top attack vector — attackers scan for unprotected routes before attempting anything sophisticated. A single unguarded endpoint returning user records, order history, or internal configuration can expose thousands of records. Beyond data exposure, CWE-306 (Missing Authentication for Critical Function) is cited in breach post-mortems from healthcare to fintech: regulators treat unprotected endpoints as a compliance failure, not just a technical one.
Critical because any unauthenticated attacker can read or modify protected data without any credentials, making exploitation trivial and blast radius unbounded.
Wrap every route handler in authentication middleware so unauthenticated requests are rejected at the boundary before any business logic runs. In src/middleware.ts or equivalent, apply auth globally and then explicitly opt-out for intentionally public endpoints.
// src/lib/auth.ts
export function requireAuth(handler: AuthedHandler) {
return async (req: NextApiRequest, res: NextApiResponse) => {
const token = req.cookies.token ?? req.headers.authorization?.replace('Bearer ', '')
if (!token) return res.status(401).json({ error: 'Unauthorized' })
try {
req.user = jwt.verify(token, process.env.JWT_SECRET!) as JWTPayload
return handler(req, res, req.user)
} catch {
return res.status(401).json({ error: 'Invalid token' })
}
}
}
Document any genuinely public endpoints with a // PUBLIC comment and a corresponding entry in your API schema.
ID: api-security.auth.endpoints-authenticated
Severity: critical
What to look for: Enumerate every relevant item. Examine all API route handlers. Look for middleware or logic that checks for valid authentication credentials (JWT tokens, session cookies, API keys, OAuth tokens) before processing requests. Check if public endpoints are explicitly documented with comments or configuration.
Pass criteria: At least 1 of the following conditions is met. Every API endpoint checks for valid authentication before executing business logic. Publicly accessible endpoints (if any) are explicitly marked as public and documented in code or API documentation. Before evaluating, extract and quote the relevant configuration or code patterns found. Report the count of items checked even on pass.
Fail criteria: Any API endpoint executes without checking for authentication, or unauthenticated requests receive 200 responses instead of 401 Unauthorized.
Do NOT pass when: The item exists only as a placeholder, stub, or TODO comment — partial implementation does not count as passing.
Skip (N/A) when: The application has no API endpoints or does not expose any APIs to external consumers.
Cross-reference: For related security patterns, the Security Headers audit covers server-side hardening.
Detail on fail: Name the unprotected endpoints. Example: "GET /api/users, POST /api/posts accept requests without authentication tokens" or "No auth middleware on any API routes — all endpoints return data to unauthenticated requests"
Remediation: Implement authentication middleware that runs before route handlers. All endpoints should verify that a valid token or session exists and reject requests without one:
// pages/api/users.ts (Next.js)
import { authMiddleware } from '@/lib/auth'
export default authMiddleware(async (req, res, user) => {
// user is authenticated here; unauthenticated requests never reach this point
const users = await db.user.findMany()
res.json(users)
})
Or using a global middleware pattern in Express:
app.use('/api', requireAuth)
Document any intentionally public endpoints in your API schema or comments.