API SECURITY GUIDE FOR AI-GENERATED BACKENDS | VIBEEVAL

Authentication is Not Authorization

AI-generated APIs often verify user identity (authentication) but skip permission checks (authorization). Knowing who the user is does not mean they have permission to access the requested resource. Every endpoint must verify both identity and permissions.

API Security Implementation Checklist

Follow these 12 steps to properly secure your API endpoints. Critical items must be implemented for every API endpoint handling user data.

Require authentication for all endpoints

Verify JWT tokens, API keys, or session cookies on every API request. Never assume client authentication from previous requests.

Implement authorization checks

Verify the authenticated user has permission to access the requested resource. Check user_id matches or role allows the operation.

Validate all input parameters

Sanitize and validate query parameters, request body, headers, and path parameters. Reject requests with invalid or missing required fields.

Use HTTPS for all endpoints

Enforce TLS/SSL on all API endpoints. Redirect HTTP to HTTPS and use HSTS headers to prevent downgrade attacks.

Implement rate limiting

Limit requests per user, IP, or API key to prevent abuse and denial of service attacks. Use different limits for authenticated vs anonymous users.

Sanitize error messages

Return generic error messages to clients. Never expose stack traces, SQL queries, file paths, or internal system details in API responses.

Validate content-type headers

Verify Content-Type matches expected format. Reject requests with mismatched or missing Content-Type to prevent MIME confusion attacks.

Set secure CORS policies

Configure CORS to allow only trusted origins. Never use Access-Control-Allow-Origin: * for authenticated APIs.

Implement request size limits

Set maximum payload sizes for request bodies to prevent resource exhaustion. Reject oversized file uploads and JSON payloads.

Use API versioning

Version your API endpoints to allow secure deprecation of vulnerable endpoints without breaking existing clients.

Log security events

Log authentication failures, authorization denials, rate limit violations, and suspicious request patterns for monitoring and incident response.

Implement idempotency for mutations

Use idempotency keys for POST, PUT, DELETE operations to prevent duplicate submissions and replay attacks.

Common API Security Issues

Missing Authorization Checks

Authentication verifies identity but no authorization check confirms user has permission to access the resource

Direct Object References

API endpoints use database IDs in URLs without verifying the authenticated user owns or can access the resource

Excessive Data Exposure

API responses return entire database objects including sensitive fields instead of filtering to necessary data

No Rate Limiting

APIs allow unlimited requests, enabling brute force attacks, credential stuffing, and resource exhaustion

Related Resources

Authentication Implementation

Implementing secure authentication

Authorization Patterns

RBAC and access control models

Database Security Best Practices

Universal database security principles

API Security Testing

Testing API security vulnerabilities

Test Your API Security

VibeEval automatically tests your API endpoints for authentication bypasses, authorization flaws, injection vulnerabilities, and rate limiting gaps to identify security issues before attackers do.