• Ensure that you only accept queries sent over a secure channel, like TLS.
  • Use API keys to secure, authenticate and track usage of a REST API.
  • Validate parameter-based inputs for queries.
  • Whitelist permitted HTTP methods and block those accessed via a public API.
  • Authenticate individual users for specific actions.
  • Log all failed requests and look for patterns to identify sustained attacks.
  • Use a security framework with policies to decide whether the querying party can see the data.

Full post here, 6 mins read