APIs need specific security measures:
Authentication: Every request must be authenticated. Use OAuth or API keys.
Authorization: Check permissions on every operation. Don't just verify identity.
Input validation: Validate and sanitize all input. Reject unexpected fields.
Rate limiting: Prevent abuse and DoS. Limit by IP, user, or API key.
HTTPS only: Never allow unencrypted API traffic.
CORS: Configure allowed origins. Don't use wildcard in production.
Audit logging: Log all API access. Include user, action, and timestamp. Essential for incident response.