← All system designs

Security

TLS, input validation, CORS, AuthN/AuthZ, OAuth 2, OpenID, SAML — the security surface every API designer owns.

8 items 5 Foundational 3 Intermediate

An API's security surface is wider than most engineers realise. TLS protects the wire. Input validation prevents injection. CORS is the browser's defence against cross-origin shenanigans. Authentication answers who you are; authorisation answers what you can do. OAuth 2 is the framework most modern APIs use to hand out access tokens; OpenID Connect adds identity; SAML is the older enterprise SSO standard.

Get any one of these wrong and your API is on the front page tomorrow. The point of this topic is to give you the checklist and the why behind each item.

Key concepts

  • TLS is non-negotiable for any API touching the public Internet; mTLS for service-to-service when it matters
  • Input validation is at the boundary — validate, normalise, reject early
  • Authentication is identity; authorisation is permissions — never conflate the two
  • OAuth 2 is an authorisation framework, not an authentication protocol; OIDC adds identity on top
  • CORS is the only security boundary an API can enforce against a browser-running attacker

Reference template 

// API security checklist
1. TLS everywhere                       (cert lifecycle automated)
2. Validate every input at the boundary (schema + length + type + value range)
3. Authenticate every request           (OAuth 2 / mTLS / API key — pick one)
4. Authorise per resource               (scopes + per-resource policy)
5. Rate limit per principal             (auth-aware buckets)
6. Audit every mutation                 (who, when, what changed)

Adapt to your problem; the structure is the load-bearing part.

Common pitfalls

  • TLS 1.0/1.1 still enabled because 'one client needs it' — they don't
  • Validation done in the controller but skipped in a webhook handler
  • OAuth 2 implicit flow used in a browser SPA in 2026; use Authorization Code + PKCE
  • CORS wildcards in production because dev-mode pain leaked into the YAML

Related topics

Foundations Architectural Styles Operational Concerns

Items (8)

  • API Security — An Overview

    The threat model: authentication, authorization, integrity, confidentiality, availability. What an API designer owns.

    Concept Foundational
  • Transport Layer Security (TLS)

    TLS 1.2 vs 1.3 handshake, cert chains, mTLS, the cost of a TLS terminator, why HTTPS is non-negotiable.

    Building Block Foundational
  • Securing APIs Using Input Validation

    Validate at the boundary, reject early, normalise once. SQL/NoSQL injection, type confusion, the OWASP API top-10.

    Building Block Foundational
  • CORS — Cross-Origin Resource Sharing

    The same-origin policy, preflight, Access-Control-Allow-*, credentials, the wildcard that breaks production.

    Building Block Intermediate
  • Authentication vs Authorization

    Who you are vs what you can do. The two-word vocabulary every API designer must use precisely.

    Concept Foundational
  • OAuth 2 — The Authorization Framework

    Authorization Code + PKCE, refresh tokens, scopes, the four roles. The protocol every modern API uses and gets wrong half the time.

    Building Block Intermediate
  • OpenID Connect and SAML

    OIDC layers identity on OAuth; SAML is the older enterprise SSO. When to pick each, and why both still ship in 2026.

    Building Block Intermediate
  • API Security — A High-Level Recap

    The checklist: TLS, validate, AuthN, AuthZ, rate limit, audit. The mnemonic an API designer carries into every review.

    Concept Foundational
Search ESC

Keyboard shortcuts

Shortcuts are disabled while typing in inputs.