checklists

API Security Testing Checklist.

Security & Permissions Add security thinking to normal API testing — tokens, role and object access, input validation, rate limiting, error handling, and 401-vs-403-vs-404 guidance.

6
sections
19
items
1–2 hours
time
API testersSDETsAutomation engineersQA leads

When to use this checklist

  • When testing any authenticated API
  • Before releasing new or changed endpoints
  • When adding a security pass to an existing API regression suite
  • After auth, role or permission changes that affect endpoints

Most API security defects are within reach of normal QA: a missing token check, an endpoint that returns another user's object, validation that the UI enforces but the API does not. This checklist layers security checks onto standard API testing using controlled test users and approved environments. It covers authentication, authorization, input validation, rate limiting, error handling and the correct status-code semantics.

0/19

Authentication checks

0/5

Tokens must be present, valid and scoped to the right user.

Authorization checks

0/4

Roles and object ownership are enforced server-side.

Input validation checks

0/4

The API validates payloads regardless of the UI.

Rate limiting & abuse

0/3

Sensitive actions are protected from repetition.

Error handling & status codes

0/2

Errors stay quiet about internals; status codes are consistent.

Evidence

0/1

Capture enough to reproduce and rate the finding.

Common Bugs

Endpoint returns another user's object

The API trusts the id in the request without checking ownership, so changing it returns someone else's data. Enforce ownership checks on every object access.

Validation enforced in the UI but not the API

The browser blocks bad input, but the endpoint accepts it directly. Always send malformed payloads straight to the API and expect a 400.

Verbose error leaks internal details

A 500 returns a stack trace or database error revealing table names or file paths. Return a generic error and log the detail server-side.

Missing rate limit on a sensitive endpoint

Login, OTP or reset endpoints accept unlimited requests, enabling brute force or abuse. Apply rate limiting and confirm a 429.

Recommended Tools

Postman

Run the same request with different tokens and roles, send malformed payloads, and assert status codes across the matrix.

API Response Validator

Check responses against an expected schema to catch leaked or missing fields.

HTTP Status Code Lookup

Confirm the intended meaning of 401 vs 403 vs 404 while writing assertions.

// Related resources

Practice apps

Glossary terms

Related checklists