API Security Cheatsheet

Always pin algorithms in an allowlist. Without it, libraries trust the alg in the token header — a known attack vector.

Warning: Without algorithms allowlist, an attacker can swap RS256 → HS256 with the public key as HMAC secret and forge tokens.

Validate iss, aud, and clock skew. clockTolerance handles cross-machine drift.

Production note: Always validate aud — a token minted for service A must not be accepted by service B. iss anchors which IdP issued the token.

When a kid (key ID) in a JWT header isn't in your cache, refresh JWKS once before failing.

Production note: Use libraries with JWKS support (jose, PyJWT 2.x, Auth0's jwks-rsa). Manual cache management is a footgun.

JWT cannot be revoked once issued. Mitigate with short TTLs (5-15 min access tokens) and refresh tokens.

Warning: Long-lived JWTs (>1 hour) without refresh flow are an outage waiting to happen — once leaked, they're valid until expiry.

Authorization Code flow with PKCE. The default for SPAs and mobile apps. PKCE prevents authz code interception.

Production note: PKCE is now recommended for confidential clients too (OAuth 2.1 draft). No reason to skip it.

Never use prefix or substring matching on redirect_uri. Parse the URI and compare host:port:path exactly.

Warning: startsWith("https://app.example.com") matches "https://app.example.com.attacker.com" — leak the auth code to the attacker.

CSRF protection for the auth flow. Tie state to the user's session.

Production note: Use a HMAC-signed state with timestamp so you can verify "this state was issued by us, recently".

Issue a new refresh token on each refresh; revoke the entire refresh chain if an old one is reused.

Production note: Refresh-token reuse detection catches stolen refresh tokens — both attacker and legit user end up logged out, but the attacker can no longer mint access tokens.

OIDC id_tokens carry user identity. Validate every claim — exp prevents replay, nonce binds to the auth request.

Warning: Skipping nonce validation enables a token-substitution attack across sessions.

Force HTTPS for 1 year, including subdomains. Preload submits to browser HSTS lists.

Warning: HSTS is sticky. Test on a subdomain before enabling site-wide; rolling back requires every visiting browser to expire the policy.

Restrict where scripts/styles/images can come from. Use script hashes or nonces, never 'unsafe-inline' or *.

Production note: Roll out with Content-Security-Policy-Report-Only first to capture violations without blocking; promote once clean.

Prevent clickjacking via iframe embedding. CSP frame-ancestors supersedes XFO in modern browsers.

Production note: Send both for maximum compatibility — older browsers ignore frame-ancestors.

Prevent browsers from MIME-sniffing responses. Mitigates a class of polyglot file attacks.

Production note: Pair with explicit Content-Type on every response. Static-asset pipelines should set both.

Limit Referer header to origin (no path) when navigating cross-origin. Default in modern browsers — set explicitly anyway.

Production note: Aggressive policies (no-referrer) can break analytics; strict-origin-when-cross-origin is the production sweet spot.

Disable powerful browser APIs your app doesn't use. Limits the blast radius of XSS.

Production note: Audit which features your app actually uses. Most APIs need none of these — disable them all.

For credentialed requests, echo back the request Origin only if it's in your allowlist. Add Vary: Origin so caches don't mix responses.

Warning: Browsers reject Access-Control-Allow-Origin: * combined with Allow-Credentials: true. Use exact origins.

Methods your endpoint supports. Don't list methods you don't implement.

Production note: Wildcard methods are NOT a thing in CORS — list each one explicitly.

Headers the browser may send on cross-origin requests. List only what your API needs.

Production note: Authorization typically needs to be allowed for token-based APIs; never wildcard headers.

Cache preflight for 10 minutes. Reduces preflight overhead for chatty APIs.

Warning: Browsers cap this (Chrome 2 hours, Firefox 24 hours). Don't set huge values expecting them to be honored.

Server config that requires client certs and validates against ClientCAs.

Production note: Authorize the peer's identity (SPIFFE ID, CN, or SAN) after the handshake — "valid cert from our CA" is not authorization.

go-spiffe SDK builds an mTLS config that reads SVIDs from the live source. Auto-rotation, no app code.

Production note: Always use the SDK's tlsconfig helpers — manual GetX509SVID() captures a snapshot and breaks rotation.

Authorize peers by SPIFFE ID prefix, not "any cert from our CA". Push the policy into OPA/Rego for clarity.

Warning: Substring matching on SPIFFE IDs is bypassable. Always parse the URI and compare exact trust domain + path prefix.

GitHub-style webhook signature header. HMAC-SHA256 over the raw request body, with a shared secret.

Production note: Always verify against the *raw* body — JSON parsing changes whitespace and breaks the signature.

Constant-time signature comparison. Prevents a timing side-channel that leaks the signature byte-by-byte.

Warning: Plain == on strings short-circuits; an attacker can measure response time to forge signatures.

Reject requests outside a small time window to prevent replay. Stripe uses ±5 minutes.

Production note: Sign the timestamp into the HMAC so an attacker can't adjust it.

The same event may be delivered multiple times. Dedupe on a unique ID provided by the sender.

Warning: Without dedupe, double-charges and double-side-effects are inevitable on networks with retries.

Configure your CDN/ingress to strip client-supplied X-Forwarded-For and emit a fresh, trusted header.

Warning: Trusting client X-Forwarded-For lets attackers cycle the value to get a fresh rate-limit bucket per request.

Apply both — per-token catches authenticated abuse, per-IP catches unauthenticated abuse from a botnet.

Production note: Token-based limits should be more generous than anonymous limits. Tie limits to billing tier where applicable.

When limited, return 429 with Retry-After so well-behaved clients back off.

Production note: Add a Retry-After-Reset header with the absolute reset time for client UX. Echo back rate-limit headers (X-RateLimit-Limit/Remaining/Reset).