When I first learned how to develop APIs, my first question was how to secure them. I can't even deploy to production if I can't secure my APIs. Back then there wasn't alot of useful resources available to learn this. Recently there's been alot of question on how to secure apis floating around me.

 Here are some of my layman thoughts on this. 

Application level

1. Non public endpoints must be protected with Authorization and Authentication schemes, this is a must. An authorization service or app authenticates and issue access token / JWT.  

2. Enforce HTTPS - this is a must

3. CORS settings - limit CORS to only allowed origins

4. Use JWT authenication parameters validation such as iss, aud, exp date

5. Validation of request headers parameters such as origin, referer, host or user agent if applicable

Network level

internet -> firewall -> load balancer -> apigateway -> firewall -> apis

1. If API is meant to be access not by public, implements firewall and whitelisting. Use WAF to control ip whitelisting, mitigate DDOS.

2. If api gateway is used, api apps server should only allow incoming traffic from api gateway.

3. Network traffic should be encrypted with TLS / using HTTPS

What do you think ?