Top API Security Tips from Tanya Janca (aka SheHacksPurple)

Looking for practical API security tips? You’re in the right place. Tanya Janca’s talk at APISEC|CON was packed with real-world advice, humor, and expert insights. Whether you're in AppSec or DevSecOps, this post walks you through her top strategies—optimized for both humans and search engines.

Why Is API Security So Important?

APIs are the #1 cause of breaches today. And most modern apps are just a series of APIs under the hood. If you’re not securing them, you’re leaving the door wide open.

How Do You Keep Track of All Your APIs?

Start with an API inventory. Know what you have, where it’s running, who owns it, and whether it’s being maintained. Tools can help, but sometimes it’s about asking the devs directly. No inventory = no security.

👉 Explore API Inventory Pitfalls

Should You Use an API Gateway for Every API?

Yes. Gateways aren’t just routers—they add authentication, rate limiting, input validation, and more. Tanya says: if it’s public-facing, it must go through a gateway.

👉 Read: How API Gateways Enable Secure Innovation

What’s the Best Way to Block Bots?

Set limits—everywhere. Implement rate limiting and quotas to stop abuse. Throttling slows bots down. Hard caps cut them off. Don’t give them unlimited access to anything.

Should You Monitor API Traffic?

Absolutely. Log everything, monitor continuously, and alert when things look off. Treat your APIs like any mission-critical app. Without monitoring, you’re flying blind.

Can You Disable Unused HTTP Methods?

Yes—and you should. Don’t let attackers experiment with unused methods like DELETE or PUT. Shut them down if you’re not using them.

Do You Need a Service Mesh?

If you have a microservices architecture with lots of internal calls, yes. A service mesh adds end-to-end encryption, routing, and reliability—without changing your code.

How Do You Standardize API Security?

Pick a protocol (like OpenAPI), choose one API gateway, and use the same testing tools across the board. This reduces confusion and risk. Also: create secure coding standards for APIs.

Is There a Tool to Test API Schemas?

Yes—42Crunch offers a linter for OpenAPI files that walks you through hardening them. Great for learning and enforcing better security.

Are Your Error Messages Helping Hackers?

They might be. Avoid verbose errors. Use generic messages like "Access denied" without giving hints. Share detailed errors only with trusted devs or customers.

Do You Retire Old API Versions?

You should. Leftover versions are a goldmine for attackers. Set reminders to decommission outdated APIs. Don’t let old code rot in production.

What Coding Practices Still Apply to APIs?

All of them. Validate inputs. Use parameterized queries. Encode output. Just because it’s an API doesn’t mean you can skip web app security basics.

Quick API Security Checklist

• Keep an up-to-date API inventory
• Use gateways for external (and ideally internal) APIs
• Apply rate limits and throttling
• Monitor, log, and alert continuously
• Disable unnecessary HTTP methods
• Use a service mesh for large microservice setups
• Standardize on protocols and tools
• Lint your OpenAPI schemas
• Keep error messages generic
• Decommission old versions
• Apply secure coding practices

Want to Learn More?

Here are more deep dives on APIsec University:

• The Ultimate API Security Checklist
• OWASP API Top 10 & Beyond
• Securing API Servers

And check out Tanya Janca’s books and videos for more expert insights.

💬 FAQ

Q: What’s the #1 mistake in API security?
Not keeping track of your APIs. If it’s not in your inventory, it’s not protected.

Q: What’s a good monitoring tool for APIs?
Datadog is popular, but pick something that integrates with your stack (e.g. Azure Monitor for .NET).

Q: Should I use Swagger or OpenAPI?
They’re nearly the same—OpenAPI is the current standard. Using it with a linter helps catch weaknesses early.

APIs are the brains of your app—secure them like it.

‍