Code-Memo

API Security

Rate limiting

1. Protects availability and cost; apply per IP, API key, user, and route as needed.
2. Return 429 Too Many Requests with Retry-After or structured backoff hints.
3. Separate burst limits from sustained quotas for better UX.

Input validation

1. Validate shape, size, and semantics (types, ranges, enums) at the edge (gateway) and in services.
2. Reject unknown fields explicitly if you want forward compatibility, or define ignore vs error policy.
3. Cap max JSON depth, string lengths, and array sizes to reduce DoS surface.

CORS (Cross-Origin Resource Sharing)

1. Browsers enforce CORS for cross-origin XHR/fetch; non-browser clients ignore it.
2. Avoid Access-Control-Allow-Origin: * with credentials; prefer explicit origins.
3. Preflight (OPTIONS) adds latency; keep allowed methods and headers minimal.

HTTPS requirement

1. Encrypt data in transit; terminate TLS at the gateway or ingress with modern ciphers and HSTS where appropriate.
2. Never send secrets in query strings (they leak via logs and referrers).
3. Use mTLS for high-trust service meshes or partner integrations when needed.

Preventing common attacks (XSS, injection basics in APIs)

1. Treat all input as hostile; parameterize queries; never concatenate SQL/HTML from user input.
2. Encode or sanitize output that might render in HTML contexts; APIs returning HTML are rare but risky.
3. Log and alert on auth anomalies, enumeration, and payload patterns typical of scanners.