Harden your APIs against the OWASP API Top 10.
Tip: Log in to save your checklist progress across devices.
No anonymous endpoints by default. Use OAuth2/OIDC or signed JWTs.
Check ownership/permissions on every record, not just the route.
Per-IP, per-user, per-key. Add slow-down for sensitive endpoints.
Use schema validation (Zod, Joi). Reject extra fields by default.
HSTS, TLS 1.2+, redirect HTTP to HTTPS.
Allow-list specific origins; never use * with credentials.
Whitelist updatable fields; never spread req.body into models.
Auth failures, permission denials, sensitive operations — and alert on anomalies.
Never leak stack traces, SQL, or internal IDs in 5xx responses.
Use a secrets manager; rotate API keys, JWT signing keys, DB creds regularly.