REST API Security Guide: Authentication, Rate Limiting, and Best Practices

Why API Security Is Critical

APIs are the backbone of modern applications. A single vulnerability can compromise the entire system. The OWASP API Security Top 10 defines the most common risks to watch for.

Related guides: GraphQL vs REST · API rate limiting strategies · KEYDAL API services

1. Authentication & Authorization

JWT (JSON Web Token) is the industry standard for stateless authentication. Store tokens in an HttpOnly cookie, never in localStorage. Access tokens should be short-lived (15 minutes) and refresh tokens long-lived (7 days).

const jwt = require('jsonwebtoken');
const token = jwt.sign({ userId: user.id, role: user.role }, SECRET, { expiresIn: '15m' });

// Middleware
function auth(req, res, next) {
    const token = req.cookies.access_token;
    if (!token) return res.status(401).json({ error: 'Unauthorized' });
    try {
        req.user = jwt.verify(token, SECRET);
        next();
    } catch { res.status(401).json({ error: 'Invalid token' }); }
}

2. Rate Limiting

Apply rate limits to every endpoint to defend against brute force and DDoS. 60 requests per minute per IP is a reasonable default. Use stricter limits on sensitive endpoints like login and registration.

const rateLimit = require('express-rate-limit');
app.use('/api/', rateLimit({ windowMs: 60000, max: 60 }));
app.use('/api/auth/login', rateLimit({ windowMs: 60000, max: 5 }));

3. Input Validation

Validate and sanitize every incoming payload. Use schema validation with Zod or Joi. Prevent SQL injection with parameterized queries and XSS with proper output encoding.

4. CORS Configuration

Do not use Access-Control-Allow-Origin: *. Whitelist only the domains you trust. Wildcards are ignored anyway when credentials are involved.

5. Enforce HTTPS

All API traffic must travel over HTTPS. Redirect HTTP requests to HTTPS with a 301 and add the HSTS header so browsers remember the policy.

API Design Principles and Secure Endpoint Architecture

Professional API design combines four elements: protocol choice (REST for CRUD, GraphQL for flexible queries, gRPC for microservice-to-microservice), authentication (OAuth 2.0 / OIDC, JWT access tokens, refresh token rotation), rate limiting (token bucket, sliding window, per-IP/user/API key) and versioning (URL versioning /v1/, header versioning, deprecation processes). API endpoint security uses input validation, prepared statements, CORS policy, idempotency-key (for POST), webhook signature verification and OpenAPI/Swagger documentation. For high-traffic APIs, use Redis for rate limit and cache, Kafka or RabbitMQ for async job queues, and OpenTelemetry for distributed tracing.

Conclusion

API security is an ongoing process, not a one-off task. Keep dependencies up to date, run security scans regularly, and monitor your logs. At KEYDAL we treat these as the baseline, not the ceiling.