CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard
verified publisher icon OWASP

New CS proposal: API Security Cheat Sheet

Open ZMelliti opened this issue 2 months ago • 8 comments

What is the proposed Cheat Sheet about?

A comprehensive API Security Cheat Sheet that provides technology-agnostic security guidance for all types of APIs (REST, GraphQL, gRPC, WebSocket, etc.). This sheet would serve as a unified reference covering general API security principles, the OWASP API Security Top 10, and modern API security concerns while complementing existing technology-specific cheat sheets.

What security issues are commonly encountered related to this area?

  • OWASP API Security Top 10 vulnerabilities: Broken Object Level Authorization, Broken User Authentication, Excessive Data Exposure, Lack of Resources & Rate Limiting, Broken Function Level Authorization, Mass Assignment, Security Misconfiguration, Injection, Improper Assets Management, Insufficient Logging & Monitoring
  • API Gateway security misconfigurations
  • Inadequate API versioning security practices
  • Insecure API documentation exposure
  • Third-party API integration vulnerabilities
  • Webhook security issues
  • API composition and aggregation security flaws
  • Microservices API communication security gaps

What is the objective of the Cheat Sheet?

  • Provide a unified entry point for API security guidance across all API technologies
  • Address the OWASP API Security Top 10 in a consolidated, actionable format
  • Cover technology-agnostic security principles applicable to all API types
  • Bridge gaps not covered by existing technology-specific sheets (WebSocket APIs, webhooks, API gateways)
  • Serve as a quick reference for developers, security professionals, and architects
  • Cross-reference existing detailed cheat sheets (REST, GraphQL, gRPC) for specific implementations

What other resources exist in this area?

Existing OWASP CheatSheetSeries coverage:

  • REST Security Cheat Sheet (comprehensive REST-specific guidance)
  • GraphQL Cheat Sheet (GraphQL-specific security)
  • gRPC Security Cheat Sheet (gRPC-specific security)
  • Web Service Security Cheat Sheet (SOAP-focused)
  • OAuth2 Cheat Sheet (API authentication)
  • JSON Web Token for Java Cheat Sheet (token-based auth)

Gap analysis:

  • No unified API security reference covering all API types
  • Missing OWASP API Security Top 10 consolidated guidance
  • Limited coverage of modern API patterns (webhooks, API gateways, microservices)

External resources:

  • OWASP API Security Top 10 (separate project)
  • NIST SP 800-204 series on microservices security
  • Various vendor-specific API security guides

Value proposition: This cheat sheet would complement, not duplicate existing resources by providing a high-level, cross-cutting view while referencing detailed technology-specific guidance already available in the project.

ZMelliti avatar Oct 23 '25 16:10 ZMelliti

I worry about duplicated content (which you addressed) but I do like this idea. Especially if this cross-links to the other API Security Cheatsheets you mentioned. :)

jmanico avatar Oct 23 '25 21:10 jmanico

@jmanico Thanks for the feedback. I’ll make sure the content stays focused and complements the existing API Security Cheat Sheets (REST, GraphQL, etc) with appropriate cross-links. Happy to take this on if you’re okay assigning me to the issue.

ZMelliti avatar Oct 24 '25 06:10 ZMelliti

Great!

jmanico avatar Oct 25 '25 22:10 jmanico

@jmanico Hi! I am a beginner in open source and interested in your project. How can I find you all in discord or other platforms for discussion?

Raibipasha-24 avatar Oct 31 '25 18:10 Raibipasha-24

@Raibipasha-24 We're in the OWASP Slack workspace (you can get an invite here) in the channel "#cheatsheets"

szh avatar Oct 31 '25 18:10 szh

We are on the OWASP slack. But the best way to communicate with us is by opening issues here it GitHub. And if you submit PR's please make several small PR's as opposed to one large one.

jmanico avatar Nov 01 '25 18:11 jmanico

Thankyou so much @szh , @jmanico . I've been trying to contribute, but as a beginner I'm seeing either all the good first issues already taken or am unable to find what other issues I can contribute to based on what i know. Could you please guide me?

Raibipasha-24 avatar Nov 02 '25 18:11 Raibipasha-24

Hi @Raibipasha-24 ! I recommend checking the CONTRIBUTING.md for guidelines on how to contribute effectively.

The maintainers are very welcoming and helpful, so don’t hesitate to reach out with any questions. Also, take some time to read through the existing cheat sheets thoroughly ;) this will help you identify areas for improvement and inspire your contributions.

ZMelliti avatar Nov 03 '25 19:11 ZMelliti