2026-03-08
By Emre SalmanogluAPI Security: The Complete Guide for Security and Compliance Teams
Learn how to secure APIs and satisfy ISO 27001, SOC 2, NIS2, and DORA requirements. Covers authentication, rate limiting, input validation, OWASP API Top 10, API gateways, and compliance evidence.
API security
OWASP API Top 10
authentication
rate limiting
compliance
What Is API Security?
API security is the discipline of protecting application programming interfaces from unauthorised access, data exposure, and abuse. As organisations increasingly rely on APIs to connect services, share data, and power integrations, APIs have become both the backbone of modern architecture and a primary attack surface.
Securing APIs requires a defence-in-depth approach combining strong authentication, granular authorisation, input validation, rate limiting, encryption, monitoring, and proper inventory management.
OWASP API Security Top 10 (2023)
| Risk | Description | Mitigation |
|---|---|---|
| API1: Broken Object Level Authorisation | Accessing other users' resources by manipulating IDs | Check object ownership on every request |
| API2: Broken Authentication | Weak or missing authentication mechanisms | Strong authentication, token expiry, MFA |
| API3: Broken Object Property Level Authorisation | Exposing or allowing modification of sensitive properties | Response filtering, property-level access control |
| API4: Unrestricted Resource Consumption | No limits on API usage leading to DoS | Rate limiting, pagination, resource quotas |
| API5: Broken Function Level Authorisation | Accessing admin functions without proper authorisation | Role-based access on every endpoint |
| API6: Unrestricted Access to Sensitive Business Flows | Automated abuse of business logic (scalping, spamming) | Business logic rate limiting, CAPTCHA |
| API7: Server Side Request Forgery | API fetching resources from attacker-controlled URLs | URL validation, allowlists, network segmentation |
| API8: Security Misconfiguration | Default configs, verbose errors, missing headers | Hardening checklists, security headers |
| API9: Improper Inventory Management | Unknown or deprecated API versions still accessible | API inventory, version management, deprecation |
| API10: Unsafe Consumption of APIs | Trusting data from third-party APIs without validation | Validate all external API responses |
API Authentication Methods
| Method | Security Level | Best For | Considerations |
|---|---|---|---|
| API keys | Low | Public APIs, identification only | Easy to leak, no user context |
| Basic auth | Low | Internal/legacy systems | Sends credentials per request |
| OAuth 2.0 + JWT | High | User-facing APIs | Industry standard, scoped access |
| mTLS | Very high | Service-to-service | Strong identity, complex setup |
| HMAC signatures | High | Webhook verification | Tamper-proof, replay protection |
| API tokens (short-lived) | High | Machine-to-machine | Auto-rotation, minimal exposure |
API Security Controls
| Control Layer | Controls | Purpose |
|---|---|---|
| Gateway | Authentication, rate limiting, WAF, TLS termination | Centralised enforcement point |
| Transport | TLS 1.2+, certificate pinning, mTLS | Protect data in transit |
| Authentication | OAuth 2.0, JWT validation, API key management | Verify caller identity |
| Authorisation | RBAC/ABAC, scope validation, object-level checks | Enforce access policies |
| Input validation | Schema validation, type checking, sanitisation | Prevent injection attacks |
| Output filtering | Response filtering, data masking, field selection | Prevent data exposure |
| Rate limiting | Per-key, per-user, per-endpoint limits | Prevent abuse and DoS |
| Monitoring | Request logging, anomaly detection, alerting | Detect and respond to threats |
API Gateway Architecture
| Component | Function | Security Value |
|---|---|---|
| Reverse proxy | Routes requests to backend services | Hides internal architecture |
| Authentication service | Validates tokens and credentials | Centralised identity verification |
| Rate limiter | Enforces usage quotas | DoS protection |
| Request validator | Validates against API schema | Input security |
| Response transformer | Filters sensitive data from responses | Data exposure prevention |
| WAF integration | Inspects for common attack patterns | OWASP protection |
| Logging/analytics | Records all API transactions | Audit trail and monitoring |
API Versioning and Lifecycle
| Phase | Security Activities | Controls |
|---|---|---|
| Design | Threat modelling, security requirements | Secure-by-design review |
| Development | Secure coding, SAST, dependency scanning | Code review with security focus |
| Testing | DAST, fuzzing, penetration testing | Pre-release security validation |
| Deployment | Gateway configuration, monitoring setup | Security controls active |
| Operation | Monitoring, incident response, patching | Continuous security posture |
| Deprecation | Version sunset, migration support | Remove access to deprecated versions |
| Retirement | Complete decommission | Verify no residual access |
Compliance Requirements
Framework Mapping
| Requirement | ISO 27001 | SOC 2 | NIS2 | DORA |
|---|---|---|---|---|
| Secure development | A.8.25 | CC8.1 | Art. 21(2)(e) | Art. 8(1) |
| Authentication controls | A.8.5 | CC6.1 | Art. 21(2)(d) | Art. 9(4)(d) |
| Access control | A.5.15 | CC6.1 | Art. 21(2)(d) | Art. 9(4)(a) |
| Encryption in transit | A.8.24 | CC6.7 | Art. 21(2)(d) | Art. 9(2) |
| Logging and monitoring | A.8.15 | CC7.2 | Art. 21(2)(b) | Art. 10 |
| Input validation | A.8.28 | CC8.1 | Art. 21(2)(e) | Art. 8(1) |
| Third-party API security | A.8.30 | CC9.2 | Art. 21(2)(d) | Art. 8(5) |
Audit Evidence
| Evidence Type | Description | Framework |
|---|---|---|
| API inventory | Complete list of all APIs with owners and classifications | All frameworks |
| Authentication configuration | API gateway auth settings and token policies | All frameworks |
| Rate limiting configuration | Documented limits per endpoint and consumer | ISO 27001, SOC 2 |
| API security scan reports | DAST results against API endpoints | All frameworks |
| API access logs | Logged requests with authentication and authorisation | All frameworks |
| API versioning policy | Documented lifecycle and deprecation process | ISO 27001, DORA |
| Input validation rules | Schema definitions and validation configurations | All frameworks |
Common Mistakes
| Mistake | Risk | Fix |
|---|---|---|
| No API inventory | Shadow APIs with no security controls | Maintain complete API inventory with ownership |
| Authentication at application only | Inconsistent enforcement across services | Centralise auth at API gateway |
| No rate limiting | DoS, credential stuffing, resource exhaustion | Implement rate limits at gateway and application levels |
| Returning full objects | Excessive data exposure to clients | Filter responses to return only required fields |
| No input validation | Injection attacks, data corruption | Validate all inputs against API schema |
| API keys in URLs | Keys exposed in logs, browser history, referrer headers | Send API keys in headers, never in URLs |
| No API versioning | Cannot deprecate insecure versions | Version all APIs, enforce deprecation timelines |
How Orbiq Supports API Security Compliance
Orbiq helps you demonstrate API security controls:
- Evidence collection — Centralise API inventories, scan reports, and configuration evidence
- Continuous monitoring — Track API security posture and vulnerability trends
- Trust Center — Share your API security posture via your Trust Center
- Compliance mapping — Map API security controls to ISO 27001, SOC 2, NIS2, and DORA
- Audit readiness — Pre-built evidence packages for auditor review
Further Reading
- DevSecOps — Security in the development pipeline
- Encryption — Protecting API data in transit
- Identity and Access Management — API authentication and authorisation
- Network Security — Network-level API protection
- SIEM — Monitoring API security events
- Supply Chain Security — Third-party API risk management