Skip to content

New CS proposal: API Security Cheat Sheet #1865

New issue
New issue
Open
#1868
Open
New CS proposal: API Security Cheat Sheet#1865
#1868
Assignees
ZMelliti
Labels
ACK_WAITINGIssue waiting acknowledgement from core team before to start the work to fix it.HELP_WANTEDIssue for which help is wanted to do the job.NEW_CSIssue about the creation of a new cheat sheet.
@ZMelliti

Description

@ZMelliti
ZMelliti
opened on Oct 23, 2025

What is the proposed Cheat Sheet about?

A comprehensive API Security Cheat Sheet that provides technology-agnostic security guidance for all types of APIs (REST, GraphQL, gRPC, WebSocket, etc.). This sheet would serve as a unified reference covering general API security principles, the OWASP API Security Top 10, and modern API security concerns while complementing existing technology-specific cheat sheets.

What security issues are commonly encountered related to this area?

  • OWASP API Security Top 10 vulnerabilities: Broken Object Level Authorization, Broken User Authentication, Excessive Data Exposure, Lack of Resources & Rate Limiting, Broken Function Level Authorization, Mass Assignment, Security Misconfiguration, Injection, Improper Assets Management, Insufficient Logging & Monitoring
  • API Gateway security misconfigurations
  • Inadequate API versioning security practices
  • Insecure API documentation exposure
  • Third-party API integration vulnerabilities
  • Webhook security issues
  • API composition and aggregation security flaws
  • Microservices API communication security gaps

What is the objective of the Cheat Sheet?

  • Provide a unified entry point for API security guidance across all API technologies
  • Address the OWASP API Security Top 10 in a consolidated, actionable format
  • Cover technology-agnostic security principles applicable to all API types
  • Bridge gaps not covered by existing technology-specific sheets (WebSocket APIs, webhooks, API gateways)
  • Serve as a quick reference for developers, security professionals, and architects
  • Cross-reference existing detailed cheat sheets (REST, GraphQL, gRPC) for specific implementations

What other resources exist in this area?

Existing OWASP CheatSheetSeries coverage:

  • REST Security Cheat Sheet (comprehensive REST-specific guidance)
  • GraphQL Cheat Sheet (GraphQL-specific security)
  • gRPC Security Cheat Sheet (gRPC-specific security)
  • Web Service Security Cheat Sheet (SOAP-focused)
  • OAuth2 Cheat Sheet (API authentication)
  • JSON Web Token for Java Cheat Sheet (token-based auth)

Gap analysis:

  • No unified API security reference covering all API types
  • Missing OWASP API Security Top 10 consolidated guidance
  • Limited coverage of modern API patterns (webhooks, API gateways, microservices)

External resources:

  • OWASP API Security Top 10 (separate project)
  • NIST SP 800-204 series on microservices security
  • Various vendor-specific API security guides

Value proposition:
This cheat sheet would complement, not duplicate existing resources by providing a high-level, cross-cutting view while referencing detailed technology-specific guidance already available in the project.

Metadata

Metadata

Assignees

Labels

ACK_WAITINGIssue waiting acknowledgement from core team before to start the work to fix it.HELP_WANTEDIssue for which help is wanted to do the job.NEW_CSIssue about the creation of a new cheat sheet.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions