If you have API, follow this checklist to ensure that they are secure and do not fall victim to malicious users.

Security

Use HTTPS on server side to avoid MITM (Man in the Middle Attack).
Use HSTS header with SSL to avoid SSL Strip attack.

Stability

Limit requests (Throttling) to avoid DDoS / brute-force attacks.
If you are dealing with huge amount of data, use Workers and Queues to process as much as possible in background and return response fast to avoid HTTP Blocking.

Standards

If you are parsing XML files, make sure entity parsing is not enabled to avoid XXE (XML external entity attack).
If you are parsing XML files, make sure entity expansion is not enabled to avoid Billion Laughs/XML bomb via exponential entity expansion attack.

Output

Send Content-Security-Policy: default-src 'none' header.
Remove fingerprinting headers - X-Powered-By, Server, X-AspNet-Version, etc.
Force content-type for your response. If you return application/json, then your content-type response is application/json.
Return the proper status code according to the operation completed. (e.g. 200 OK, 400 Bad Request, 401 Unauthorized, 405 Method Not Allowed, etc.).

Help Us Improve!

If you have any suggestions to improve this checklist, please let us know by filling out this form.