PS Product SecurityKnowledge Base

๐Ÿงฉ API Review Checklist

Intro: Use this checklist for new endpoints, changed contracts, admin APIs, partner APIs, and webhook-like workflows.

Best time to use this checklist

Use it during design review, before exposing routes externally, and before adding new privileged or customer-data operations.

Stop-the-line conditions

  • missing server-side object ownership checks;
  • weak or inconsistent auth between related routes;
  • no controls for resource consumption or abuse-sensitive flows;
  • external integration trust assumptions without validation.

Text-first review prompts

  • How does the API authenticate callers, and what identities exist?
  • Where are object-level and function-level authorization enforced?
  • Can a caller enumerate identifiers, infer state, or over-fetch data?
  • What are the rate limits, quotas, or anti-automation controls for sensitive flows?
  • What logs capture auth failures, object-owner mismatches, admin actions, and unusual consumption?
  • Does this API trust data from another service or third party without verifying it?

Evidence table

Control area What to verify Typical evidence
Authentication Strong auth model and token handling are documented OpenAPI notes, auth middleware, gateway policy
Authorization Object and function authorization happen server-side service code, tests, review note
Abuse controls Sensitive business flows have limits or friction rate-limit config, bot control notes
Inventory The route is discoverable and owned API inventory, repo ownership, runbook
Telemetry The API emits useful security and operational events access logs, denial logs, dashboard

Common misses

  • confusing route auth with object auth;
  • relying on the client to hide or block forbidden actions;
  • forgetting to review bulk or export endpoints;
  • failing to think about scripted abuse, not just single-request abuse.

---Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.