API Security: Beyond OAuth and into Defense-in-Depth

Authentication is Just the Beginning

Most API security discussions focus on OAuth, JWT, and API keys. These are important, but they only answer one question: who is making this request? Real API security requires defense-in-depth across multiple layers.

The OWASP API Security Top 10 reveals common failures: broken object-level authorization, broken authentication, excessive data exposure, lack of resources and rate limiting, broken function-level authorization. Notice that most of these happen after authentication.

Layer 1: Rate Limiting and Throttling

Without rate limiting, attackers can brute force credentials, scrape your data, or simply overwhelm your infrastructure. Implement rate limits at multiple levels:

Global limits: Protect infrastructure capacity

Per-user limits: Prevent individual abuse

Per-endpoint limits: Protect expensive operations

Graduated responses: Warn, then slow, then block

Use sliding window algorithms for smoother limiting. Consider implementing exponential backoff for repeated violations.

Layer 2: Input Validation

Every piece of input is potentially malicious. Validate rigorously:

Type validation: Ensure numbers are numbers, strings are strings

Range validation: Check lengths, sizes, and numeric ranges

Format validation: Verify emails, URLs, dates match expected patterns

Business validation: Does this value make sense in context?

Schema validation libraries like Zod or Joi provide type-safe validation with clear error messages. Validate at the API boundary, not deep in business logic.

Layer 3: Authorization

Authentication tells you who someone is. Authorization determines what they can do. Most breaches exploit authorization failures.

Implement checks at multiple levels:

Can this user access this resource type?

Can this user access this specific resource instance?

Can this user perform this action on this resource?

Always check authorization server-side. Never trust client-provided user IDs or role claims without verification.

Layer 4: Request Integrity

For sensitive operations, verify request integrity with signatures. This prevents tampering and replay attacks.

Include a timestamp in signed requests and reject requests older than a few minutes. This prevents attackers from capturing and replaying legitimate requests later.

Layer 5: Response Security

What you return matters too:

Never expose internal IDs, stack traces, or system details

Filter sensitive fields from responses

Use consistent error messages that don't leak information

Set appropriate security headers (CORS, CSP, etc.)

Monitoring and Detection

Log every API request with context: who, what, when, from where, and the outcome. Use anomaly detection to identify:

Unusual access patterns

Suspicious geographic locations

Credential stuffing attempts

Data exfiltration patterns

Best Practices

Validate everything: Trust no input, ever

Check authorization everywhere: Not just at the edge

Log comprehensively: Detection requires visibility

Rate limit aggressively: Protect against abuse

Use a WAF: Block known attack patterns automatically

Encrypt sensitive payloads: Defense in depth for data

Version your APIs: Deprecate insecure endpoints