OpenClaw LaunchOpenClaw Launch
🔐

API Security Checklist

Verified

by Community

Provides a thorough API security audit checklist covering authentication, authorization, input validation, rate limiting, logging, and common vulnerability prevention.

securityAPIRESTauthenticationOWASPchecklist

API Security Checklist

Comprehensive security checklist for REST and GraphQL APIs. Covers every layer from authentication and authorization to input validation, rate limiting, and incident response.

Usage

Describe your API architecture and current security measures. The checklist evaluates your implementation against OWASP API Security Top 10 and industry best practices, identifying gaps and providing specific fixes.

Parameters

  • API type: REST, GraphQL, gRPC, or WebSocket
  • Auth method: JWT, OAuth 2.0, API keys, or Session-based
  • Stage: Design phase, Development, Pre-launch audit, or Production review
  • Sensitivity: Public data, User data, Financial, or Healthcare/regulated

Examples

  1. JWT Implementation Review: Audit JWT token handling — algorithm enforcement (RS256 over HS256), expiration settings, refresh token rotation, and token revocation strategy.
  1. GraphQL Security: Address GraphQL-specific risks — query depth limiting, complexity analysis, introspection disabling in production, and N+1 query prevention.
  1. Public API Launch: Pre-launch checklist for a developer-facing API covering key management, rate limiting tiers, abuse detection, webhook security, and API versioning strategy.
  1. OWASP Top 10 Audit: Systematic review against OWASP API Security Top 10 (2023) with specific code patterns to check and test cases to run for each vulnerability class.

Guidelines

  • Authentication checks cover token validation, session management, and credential storage
  • Authorization verifies BOLA/IDOR prevention with object-level access control tests
  • Input validation covers type checking, length limits, regex patterns, and injection prevention
  • Rate limiting is implemented per-user, per-IP, and per-endpoint with appropriate limits
  • Error responses don't leak internal details (stack traces, database errors, file paths)
  • Logging captures security-relevant events without logging sensitive data (passwords, tokens)
  • CORS configuration restricts origins to known domains, not wildcard in production
  • Data exposure is minimized — responses contain only the fields the client needs
  • Transport security enforces HTTPS-only with HSTS and certificate pinning for mobile
  • Dependency scanning checks for known vulnerabilities in API framework and libraries

More Security Skills

shield
1Claw

HSM-backed vault for agent secrets; store, rotate, share securely.

shield
1Password

Set up and use 1Password CLI (op).

shield
Auditing Appstore Readiness

Audit an iOS app repo.

shield
Authensor Gateway

Fail-safe policy gate for OpenClaw marketplace skills.