API Security Checklist
API Security Checklist for SaaS Teams

A practical checklist for reviewing API authorization, authentication, object-level access control, sensitive data exposure, rate limits, and business-critical API workflows.

Checklist

API Security Review Areas

Use these checks to review high-risk SaaS API behavior before a release, integration launch, or security review.

Authentication

  • Require authentication for private endpoints
  • Reject expired or malformed tokens
  • Validate session/token scope server-side
  • Avoid exposing authentication state through verbose errors
  • Protect login, reset, and invite flows from abuse

Authorization

  • Enforce authorization on every endpoint
  • Do not rely on frontend role checks
  • Validate role permissions server-side
  • Test standard, manager, admin, and invited user roles
  • Recheck authorization after workflow state changes

Object-Level Access Control

  • Validate object ownership on every request
  • Test IDOR/BOLA by changing object IDs
  • Confirm cross-tenant records return 403 or 404
  • Protect exports, reports, invoices, and attachments
  • Add regression tests for object ownership

Sensitive Data Exposure

  • Remove unnecessary fields from API responses
  • Avoid returning internal IDs unless required
  • Prevent leakage of emails, billing data, tokens, metadata, and hidden role fields
  • Review nested API and GraphQL responses
  • Validate error responses for sensitive details

Rate Limiting and Abuse Protection

  • Rate-limit login, signup, reset, invite, export, and search flows
  • Prevent enumeration through response differences
  • Add throttling for expensive API operations
  • Monitor repeated object-ID probing
  • Apply abuse controls per user, IP, tenant, and token

Business Logic

  • Validate server-side workflow state
  • Prevent repeated use of one-time actions
  • Protect approval, invite, billing, export, and admin workflows
  • Test bypasses using direct API calls
  • Ensure permissions cannot be upgraded through request manipulation

GraphQL API Checks

  • Disable introspection if not required
  • Validate authorization on queries and mutations
  • Check nested resolver access control
  • Test create/update/delete mutations
  • Prevent excessive query depth and data exposure

Logging and Retesting

  • Log failed authorization attempts
  • Alert on repeated cross-tenant access attempts
  • Document remediation ownership
  • Retest fixed endpoints
  • Add automated regression coverage for critical access-control paths
Common Mistakes

Common API Security Mistakes

Frontend-only authorization

Role checks in the UI without matching server-side enforcement.

Missing ownership checks

Endpoints validate login state but not object ownership or tenant boundaries.

Overly broad API responses

Responses include internal fields, hidden roles, metadata, or unrelated records.

Unsafe export endpoints

Bulk downloads skip the authorization checks used by normal views.

GraphQL resolver leakage

Nested resolvers return restricted objects after a permitted parent query.

Weak invite and role workflows

Invite, approval, or role changes can be manipulated through direct API calls.

Manual Review

When to Request a Manual Review

Automated scanners can help identify obvious misconfigurations, but they often miss IDOR/BOLA, tenant isolation issues, workflow abuse, role boundary failures, business logic flaws, and GraphQL authorization gaps.

A manual API review is useful when an API handles customer data, tenant-specific resources, billing records, exports, admin workflows, or product-critical state changes.

Next Step

Need a Manual API Security Review?

Share the API, release, or workflow you want reviewed. THF will help identify authorization flaws, sensitive data exposure, and product-specific abuse paths.