APIs power most of what users see in modern applications, and they fail in remarkably consistent ways. The same handful of mistakes show up year after year, in different products and different teams, regardless of language or framework.
Trusting Client-Side Validation
Browsers and mobile apps perform validation for usability, not for security. Anything checked only on the client gets bypassed by the simplest attacker, who sends requests directly to the API and skips the front end entirely.
Inconsistent Authorisation Checks
Authorisation often gets implemented in middleware or controller-level decorators, which sometimes get applied inconsistently across endpoints. A single endpoint that forgets the decorator becomes the soft underbelly through which an attacker accesses everything.
Trusting Object IDs from the Client
An API that accepts an object identifier from the client, looks up the object, and returns it without checking ownership produces broken object level authorisation. The pattern is so common it has its own entry in the OWASP API Top 10.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
“Authorisation flaws on APIs are by far the most common critical findings I report. The bug is not interesting technically. It is just an absence of a check that should have been there.”
Excessive Data in Responses
An API endpoint that returns the entire user record when only a name and email were needed quietly leaks information into client-side code, browser caches, and any logs that capture the response.
Rate Limiting and Resource Controls
APIs without rate limiting become exposure to credential stuffing, scraping, denial of service through resource exhaustion, and brute force against any feature that accepts repeated input.
Building Better Habits
Train developers on the patterns above, write code review checklists that look specifically for each one, and automate detection where possible. Apply this discipline consistently and most API security issues fade away before they ship.
