API Security Articles
The Latest API Security News, Vulnerabilities & Best Practices
APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.
API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.
Subscribe to the API Security newsletter
By clicking Subscribe you agree to our Data Policy
From the APISecurity.io Twitter
WordPress Rank Math plugin (200K installs) had a critical API security vulnerability. It registered a REST API rankmath/v1/updateMeta that had no authorization check and didn't restrict its use: so attackers could modify users table, etc.
https://t.co/L4HKkCLb5b via @wordfence
API Security weekly newsletter issue 77 is out. Main stories by
@aaronpk, @tlodderstedt, @DickHardt / @oauth_2, @gitlab, @feross / @Stanford
https://t.co/jITbgIxNbn
CS 253 Web Security course by @feross released for free by @Stanford: videos, slides, reading, assignments. Attacks, countermeasures, browser sec model, injection, DoS, TLS, privacy, fingerprinting, same-origin, cross site scripting, auth, JavaScript sec.. https://t.co/VZ4UR9LPJE
The latest @gitlab release fixes among other things a couple API vulnerabilities:
* Insufficient access verification in API to create personal snippets,
* GraphQL API for issues leaking private project namespace information
https://t.co/Yqb5MC26qP
OAuth 2.1 draft is out
+ PKCE for authz code grant
+ Exact matching for redirect URIs
- Implicit & Resource Owner Password Creds grants
- Bearer tokens in query params
+ Refresh tokens: sender-constrained or one-time use
@aaronpk, @tlodderstedt, @DickHardt
https://t.co/bFAFTRKX9v
API Security Newsletter Archive
- 2 April, 20
- 26 March, 20
- 19 March, 20
- 12 March, 20
- 5 March, 20
- 27 February, 20
- 20 February, 20
- 13 February, 20
- 6 February, 20
- 30 January, 20
From the APISecurity.io Twitter
WordPress Rank Math plugin (200K installs) had a critical API security vulnerability. It registered a REST API rankmath/v1/updateMeta that had no authorization check and didn't restrict its use: so attackers could modify users table, etc.
https://t.co/L4HKkCLb5b via @wordfence
API Security weekly newsletter issue 77 is out. Main stories by
@aaronpk, @tlodderstedt, @DickHardt / @oauth_2, @gitlab, @feross / @Stanford
https://t.co/jITbgIxNbn
CS 253 Web Security course by @feross released for free by @Stanford: videos, slides, reading, assignments. Attacks, countermeasures, browser sec model, injection, DoS, TLS, privacy, fingerprinting, same-origin, cross site scripting, auth, JavaScript sec.. https://t.co/VZ4UR9LPJE
The latest @gitlab release fixes among other things a couple API vulnerabilities:
* Insufficient access verification in API to create personal snippets,
* GraphQL API for issues leaking private project namespace information
https://t.co/Yqb5MC26qP
OAuth 2.1 draft is out
+ PKCE for authz code grant
+ Exact matching for redirect URIs
- Implicit & Resource Owner Password Creds grants
- Bearer tokens in query params
+ Refresh tokens: sender-constrained or one-time use
@aaronpk, @tlodderstedt, @DickHardt
https://t.co/bFAFTRKX9v
