You're about to push to production. The feature works. Tests pass. Everything looks good.
But have you checked the security basics?
Here's a quick checklist. Run through it before every deployment that touches API integrations. Most items take seconds to verify but can prevent serious problems.
Credentials
1. API keys are in environment variables, not code
Check your codebase for hardcoded strings that look like API keys. They should come from environment variables or a secret manager.
# Quick search for common patterns
grep -r "x-api-key.*[a-zA-Z0-9]{20}" --include="*.js" --include="*.ts"
grep -r "apiKey.*=.*['\"][a-zA-Z0-9]" --include="*.py"
If you find any, move them to environment variables immediately. Hardcoded keys end up in git history forever.
Status: [ ] Verified
2. Keys are not logged
Check your logging code. Are you logging request headers? Response bodies? Entire request objects?
Any of these might include API keys, tokens, or sensitive data. Logs get stored, backed up, and viewed by people who shouldn't see credentials.
Status: [ ] Verified
3. Keys are not in client-side code
Frontend JavaScript, mobile app bundles, and anything the user can access should never contain API keys. Attackers can extract them trivially.
If you need to call APIs from client-side code, proxy through your backend.
Status: [ ] Verified
4. Different keys for different environments
Your production key should not be the same as your development key. If a dev laptop is compromised, production shouldn't be affected.
Status: [ ] Verified
5. You know how to rotate keys
If a key is compromised, can you rotate it quickly? Do you know where all the keys are configured? Can you update them without downtime?
Practice this before you need it.
Status: [ ] Verified
Transport Security
6. All API calls use HTTPS
No exceptions. HTTP traffic can be intercepted, read, and modified by anyone between you and the server.
Check that your base URLs start with https://. Check that your HTTP client doesn't silently downgrade to HTTP on redirects.
The SSL Checker API can verify that endpoints you're calling have valid certificates.
Status: [ ] Verified
7. You're validating SSL certificates
Your HTTP client should reject invalid, expired, or self-signed certificates in production. Some debug settings disable this — make sure they're not active in production.
// Node.js: This should NOT be in production code
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; // DANGER
Status: [ ] Verified
Input and Output
8. User input is validated before reaching APIs
Don't pass user input directly to API calls without validation. A user submitting "><script> as an email address should be caught before it hits your email validator.
Basic validation happens on your side. Let the API handle the complex validation.
Status: [ ] Verified
9. API responses are validated before use
Don't trust that API responses are well-formed. Check that expected fields exist before accessing them. This prevents both security issues and crashes from unexpected data.
Status: [ ] Verified
10. Sensitive data in responses is handled appropriately
If an API returns sensitive information (PII, credentials, tokens), ensure it's:
- Not logged in full
- Not stored longer than needed
- Not exposed to users who shouldn't see it
Status: [ ] Verified
Error Handling
11. Errors don't expose sensitive information
When an API call fails, what does the user see? Stack traces, internal URLs, and API keys should never appear in error messages.
Log the details server-side. Show users a generic message.
Status: [ ] Verified
12. Failed auth attempts are rate-limited
If you're handling authentication (or passing auth to another service), rate-limit failed attempts. Without limits, attackers can try thousands of passwords.
Status: [ ] Verified
Monitoring
13. Unusual API usage triggers alerts
Set up monitoring for:
- Sudden spikes in API calls
- High error rates
- Calls from unexpected IP addresses
- Usage outside business hours
Any of these could indicate compromised credentials or a security issue.
Status: [ ] Verified
14. You have an audit log
Who made what API calls and when? If something goes wrong, you need to trace back what happened.
Log at least: timestamp, user/service identity, endpoint called, success/failure.
Status: [ ] Verified
Dependencies
15. Your HTTP client and dependencies are current
Outdated libraries have known vulnerabilities. Run a dependency audit before production.
npm audit # Node.js
pip audit # Python
bundle audit # Ruby
Fix critical vulnerabilities. Don't push known-vulnerable code to production.
Status: [ ] Verified
The Quick Version
For copy-paste into your deployment checklist:
PRE-PRODUCTION API SECURITY CHECK
---------------------------------
[ ] API keys in env vars, not code
[ ] Keys not in logs
[ ] No keys in client-side code
[ ] Separate keys per environment
[ ] Key rotation procedure documented
[ ] All calls use HTTPS
[ ] SSL certificates validated
[ ] User input validated before API calls
[ ] API responses validated before use
[ ] Sensitive response data handled properly
[ ] Errors don't expose internals
[ ] Failed auth attempts rate-limited
[ ] Unusual usage triggers alerts
[ ] Audit logging enabled
[ ] Dependencies up to date
Fifteen items. Most take under a minute to verify. All of them can prevent a security incident.
This Is the Minimum
This checklist covers the basics. Depending on your industry and data, you might also need:
- Compliance verification — HIPAA, PCI-DSS, SOC 2, GDPR
- Penetration testing — external security assessment
- Web application firewall — additional request filtering
- Data encryption at rest — for stored sensitive data
- Regular key rotation — scheduled credential updates
But if you can't check off the 15 items above, those advanced measures won't help much. Get the basics right first.
Security isn't a feature you add at the end. It's a practice you follow throughout. This checklist is a backstop — a final verification that the fundamentals are in place.
Make it part of your deployment process. The incidents you prevent won't show up in metrics, but they're the most important work you do.
Ready to build securely? Get your API key and check out the security documentation.
Originally published at APIVerve Blog
Top comments (0)