- Ensure that you only accept queries sent over a secure channel, like TLS.
- Use API keys to secure, authenticate and track usage of a REST API.
- Validate parameter-based inputs for queries.
- Whitelist permitted HTTP methods and block those accessed via a public API.
- Authenticate individual users for specific actions.
- Log all failed requests and look for patterns to identify sustained attacks.
- Use a security framework with policies to decide whether the querying party can see the data.
Full post here, 6 mins read