How I Secure APIs — Practical Steps I Use Every Day

This content originally appeared on DEV Community and was authored by Gimhan Rajapaksha

When I started building APIs, I often focused only on making features work. Security? That came later.

But the hard truth is — security can’t wait. Over the years, I’ve learned that securing APIs isn’t about one big fix; it’s about layering small but critical practices.

Here’s my step-by-step approach:

1. 🔐 Always Use HTTPS

HTTP sends everything in plain text (yes, even your passwords).
HTTPS encrypts data during transit, preventing man-in-the-middle attacks.

👉 Rule I follow: Never send sensitive data over HTTP.

2. 🔑 Authentication & Authorization with OAuth + OIDC

OAuth 2.0 handles authorization.
OpenID Connect (OIDC) adds authentication.
I enforce the principle of least privilege:
- Users only get access to the exact endpoints they need.

👉 This keeps the attack surface small and manageable.

3. 🌐 Handle CORS Securely

Early on, I made the mistake of setting Access-Control-Allow-Origin: *.
Now, I explicitly whitelist trusted domains (e.g., https://myapp.com).

👉 No wildcard * in production.

4. ⏱️ Rate Limiting to Prevent Abuse

Rate limiting protects against DDoS, scraping, or accidental overload.
I apply limits per API key or per IP/user.

👉 Example: Free users = 5 requests/sec, Premium users = 15 requests/sec.

✅ My Security Checklist

Area	Technique Used	Purpose
Transport Security	HTTPS	Encrypt data in transit
Auth/Authz	OAuth 2.0 + OIDC	Secure identity & access
Access Control	Principle of Least Privilege	Minimize exposure
Cross-Origin	CORS Whitelisting	Block unauthorized access
Abuse Prevention	Rate Limiting	Maintain availability

Final Thoughts

API security isn’t optional — it’s essential.

These practices have become my personal checklist:

Encrypt everything with HTTPS
Authenticate and authorize with OAuth + OIDC
Lock down access with least privilege
Be strict with CORS
Protect performance with rate limits

If you’re just starting out, adopt these early. Trust me, it’s a lot harder to patch security holes later.

This content originally appeared on DEV Community and was authored by Gimhan Rajapaksha

Print Share Comment Cite Upload Translate Updates

APA

Gimhan Rajapaksha | Sciencx (2025-09-23T23:32:14+00:00) How I Secure APIs — Practical Steps I Use Every Day. Retrieved from https://www.scien.cx/2025/09/23/how-i-secure-apis-practical-steps-i-use-every-day/

MLA

" » How I Secure APIs — Practical Steps I Use Every Day." Gimhan Rajapaksha | Sciencx - Tuesday September 23, 2025, https://www.scien.cx/2025/09/23/how-i-secure-apis-practical-steps-i-use-every-day/

HARVARD

Gimhan Rajapaksha | Sciencx Tuesday September 23, 2025 » How I Secure APIs — Practical Steps I Use Every Day., viewed ,<https://www.scien.cx/2025/09/23/how-i-secure-apis-practical-steps-i-use-every-day/>

VANCOUVER

Gimhan Rajapaksha | Sciencx - » How I Secure APIs — Practical Steps I Use Every Day. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2025/09/23/how-i-secure-apis-practical-steps-i-use-every-day/

CHICAGO

" » How I Secure APIs — Practical Steps I Use Every Day." Gimhan Rajapaksha | Sciencx - Accessed . https://www.scien.cx/2025/09/23/how-i-secure-apis-practical-steps-i-use-every-day/

IEEE

" » How I Secure APIs — Practical Steps I Use Every Day." Gimhan Rajapaksha | Sciencx [Online]. Available: https://www.scien.cx/2025/09/23/how-i-secure-apis-practical-steps-i-use-every-day/. [Accessed: ]

rf:citation

» How I Secure APIs — Practical Steps I Use Every Day | Gimhan Rajapaksha | Sciencx | https://www.scien.cx/2025/09/23/how-i-secure-apis-practical-steps-i-use-every-day/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.