102 - API Security Checklist

Why this course?

Security audits shouldn’t be a mystery. This course gives you the definitive checklist to review and protect any REST API.

When you need to audit an API or verify that your implementation is secure, where do you start? What points are critical? What might you be missing?

This course delivers a proven methodology to systematically review all security aspects of an API. From authentication to monitoring, including CI/CD integration.

Dani García has audited hundreds of APIs during his career at 42Crunch. Here he shares the knowledge he’s accumulated in the form of a practical, actionable checklist.

What you’ll learn

• Complete authentication checklist: All critical points you must verify
• OAuth 2.0 in depth: Secure flows, common mistakes, and best practices
• Secure JWTs: How to implement tokens that won’t blow up in your face
• Properly configured CORS: What to allow and what to block
• DDoS protection: Defense-in-depth strategies
• SBOM (Software Bill of Materials): Dependency and vulnerability control
• CI/CD integration: Automated security in your pipeline
• Logging and monitoring: What to log and how to detect attacks

Curriculum

Module 1: Intro and Presentation (2 lessons)

• Who this course is for
• The API security checklist we’ll use and why

Module 2: Authentication and Authorization (4 lessons)

• API authentication security measures
• JWT: creating secure tokens
• DDoS prevention and access restrictions
• OAuth: common mistakes that compromise authorization

Module 3: Secure Inputs, Outputs and Processing (3 lessons)

• Securing user inputs in REST APIs
• Data processing, privacy, and attacks
• REST API responses without exposing sensitive information

Module 4: Continuous Integration and Monitoring (2 lessons)

• Continuous integration: basic measures and myths
• Monitoring and data exfiltration danger

Module 5: Additional Content

• Repositories and URLs
• Demo presentations (PDF)

Who is this for?

• Developers with API experience who want to deepen their security knowledge
• Security engineers who need an audit methodology
• Tech leads and architects responsible for system security
• DevSecOps who want to integrate security into the pipeline
• Auditors who need a complete, up-to-date checklist

Prerequisites

• Solid knowledge of REST APIs
• Basic experience with authentication and authorization
• Familiarity with CI/CD concepts (recommended)
• Completed course 101 or equivalent knowledge

What’s included

• 1.6 hours of video with dense, practical content
• Downloadable checklist in PDF format for use in your audits
• Access on mobile app and TV to study wherever you prefer
• Lifetime access to all content
• Certificate of completion upon finishing the course
• Free updates with new checklist items