Last week, we listed 16 practices to help secure one’s APIs and described how to implement them with Apache APISIX.

Authentication: Verifies the identity of users accessing APIs.
Authorization: Determines permissions of authenticated users.
Data Redaction: Obscures sensitive data for protection.
Encryption: Encodes data so only authorized parties can decode it.
Error Handling: Manages responses when things go wrong, avoiding revealing sensitive info.
Input Validation and Data Sanitization: Checks input data and removes harmful parts.
Intrusion Detection Systems: Monitor networks for suspicious activities.
IP Whitelisting: Permits API access only from trusted IP addresses.
Logging and Monitoring: Keeps detailed logs and regularly monitors APIs.
Rate Limiting: Limits user requests to prevent overload.
Secure Dependencies: Ensures third-party code is free from vulnerabilities.
Security Headers: Enhances site security against types of attacks like XSS.
Token Expiry: Regularly expiring and renewing tokens prevents unauthorized access.
Use of Security Standards and Frameworks: Guides your API security strategy.
Web Application Firewall: Protects your site from HTTP-specific attacks.
API Versioning: Maintains different versions of your API for seamless updates.

This week, we will look at the remaining practices.