Laurent

Are translators acknowledged as contributors in those files ? I think lot are missing.

> Remove this statement altogether, as it is already covered in the "How to Prevent" section I don't see it ( same apply to others pages in the top 10,...

> The OWASP API Security Top 10 is an awareness document that expands the general [OWASP Security Top 10](https://owasp.org/www-project-top-ten/). Being an expansion, we tried to cover categories unique to APIs,...

My bad rate limit is already mentioned at point 4, but maybe insist on it could be good though..

Why point 8 should be authorization problem ? Couldn't automated threats be anonym ? Furthermore, if all these point are merged won't this part be disbalanced in regard to the...

You are right **user validation** is only briefly mentioned at point 6, while **rate limiting** is only briefly mentioned at point 4. I think (but it's my opinion), that this...

Yes there are API Security Misconfiguration, but on a third party API and I think this the important point. You have to be cautious when configuring an owned API or...

> there is no natural way to limit the API to block this attack Rate limiting is one natural way, but is not sufficient alone and must be combined with...

I totally agree with you @inonshk, except on the point that "rate limiting should be more strict to API that are consumed by machines". I personally see Rate Limiting acting...

Maybe you could delegate user input validation to the third party API. It depends if your API has to use it or not. But it is likely that your API...