← Back to article
OWASP API Risk Review Checklist
Free checklist from our API security guide
Audit your public and internal APIs against the most critical security risks for AI apps and modern SaaS.
Get your free checklist
Enter your email to unlock this resource instantly.
Instructions
Work through each section for every API surface in scope. Start with the highest-risk paths: endpoints touching sensitive data, AI/model routes, admin APIs, and third-party integrations.
1. API Inventory
- All public API endpoints documented and cataloged
- All internal/private API endpoints documented
- Machine-to-machine integrations inventoried
- Third-party SaaS API connections listed with scopes
- Webhook receivers inventoried with source verification
- Shadow or undocumented APIs identified and addressed
2. Authentication
- All endpoints require authentication (no unauthenticated access to sensitive paths)
- API keys rotated on a defined schedule
- OAuth 2.0 / OIDC used for user-context API access
- Token expiration set to appropriate lifetimes (short-lived preferred)
- Service-to-service auth uses client credentials or mTLS
- Token issuance and exchange endpoints hardened
3. Authorization
- Object-level authorization enforced (BOLA / IDOR protection)
- Function-level authorization enforced (no role confusion)
- Field-level access controls prevent excessive data exposure
- Admin and support APIs restricted to appropriate roles
- AI/model endpoints scoped to authorized consumers only
- Authorization tested with automated security tests
4. Rate Limiting and Abuse Prevention
- Rate limits applied per-user, per-IP, and per-API-key
- AI/model endpoints have cost-aware rate limits
- Retry and backoff behavior documented for consumers
- Abuse detection for credential stuffing and enumeration
- Quota enforcement for high-cost operations
5. Input Validation and Data Handling
- Request schema validation enforced (reject unexpected fields)
- Response filtering prevents leaking internal data
- File upload endpoints validated for type, size, and content
- SQL injection, XSS, and command injection protections in place
- AI prompt inputs sanitized and length-limited
- Error responses do not leak stack traces or internal details
6. Logging and Monitoring
- All API calls logged with identity, action, resource, and timestamp
- Authentication failures and authorization denials alerted
- Anomalous traffic patterns detected and flagged
- Logs retained for compliance-required duration
- API usage dashboards available to security and engineering teams
7. Upstream Trust
- Third-party API responses validated before processing
- Webhook payloads verified with signatures (HMAC, etc.)
- SaaS integration tokens scoped to minimum required permissions
- Vendor API deprecation and changelog monitored
- Fallback behavior defined for upstream API failures
Priority API Paths
| API Path / Service | Risk Level (H/M/L) | Top Finding | Remediation Owner | Target Date |
|---|---|---|---|---|
Found this useful? Read the full article:
Read: API Security Best Practices for AI Apps and Modern SaaS →