Why API security is different

The front door with no receptionist

A web page renders for a human; an API answers a program. There is no UI to hide an id, no form to constrain a value, and an attacker can replay, fuzz, and enumerate your endpoints at machine speed. The browser was never the security boundary — the server is.

The OWASP API Security Top 10 is the community-built list of the most critical API risks. Learn the category and you can recognize a hundred variations across REST, GraphQL, and gRPC.

Authorization is the recurring theme. Five of the ten API risks are some flavor of broken authorization: the right user reaching the wrong object, field, or function. Authentication proves who you are. Authorization proves you may do this specific thing. The server must enforce both.

The OWASP API Security Top 10 at a glance

• API1 — Broken Object Level Authorization (BOLA) — An endpoint returns or changes an object by id without checking the caller owns it. The single most common API flaw.
• API2 — Broken Authentication — Weak login, unverified tokens, no rate limit on credential endpoints.
• API3 — Broken Object Property Level Authorization — The object is yours, but the API exposes or accepts fields you should not see or set (mass assignment).
• API4 — Unrestricted Resource Consumption — No rate, size, or cost limits, so one caller can exhaust CPU, memory, money, or third-party quota.
• API5 — Broken Function Level Authorization (BFLA) — A regular user can call an admin or privileged function because the route never checks role.
• API6 — Unrestricted Access to Sensitive Business Flows — A flow like checkout, signup, or booking is automatable end to end.
• API7 — Server-Side Request Forgery (SSRF) — The API fetches a user-supplied URL, letting an attacker reach internal services.
• API8 — Security Misconfiguration — Verbose errors, permissive CORS, missing security headers, default settings left on.
• API9 — Improper Inventory Management — Forgotten v1 endpoints, undocumented hosts, shadow APIs.
• API10 — Unsafe Consumption of APIs — Trusting the data and behavior of third-party APIs you call.

Key terms

• BOLA — Broken Object Level Authorization. The server returns an object identified by a request value without verifying the caller is allowed to access it.
• BFLA — Broken Function Level Authorization. A caller invokes a function or route their role should not permit.
• JWT — JSON Web Token. A signed token carrying claims about the caller. Security depends entirely on verifying the signature and the claims.
• SSRF — Server-Side Request Forgery. An attacker makes your server issue requests to destinations they choose.