Core API vulnerability types: BOLA (Broken Object Level Authorization) — a user accessing objects with other users' IDs, Broken Authentication, Excessive Data Exposure (returning more data than needed), and missing Rate Limiting. All API endpoints must require authentication — an open endpoint is only acceptable if it's intentionally public.
JWT security: algorithm HS256 or RS256, the secret key must be strong, short token lifetime (15–60 minutes), refresh token rotation. Rate limiting — throttle middleware for every endpoint. Input validation — always validate request body and query parameters. CORS — only permitted origins should be accepted. API versioning lets you remove old vulnerable endpoints.
Our courses on this topic