They make applications monolithic.

They allow for modular application development.

They reduce the need for web servers.

They increase the complexity of applications.

Excessive data exposure

Improper asset management

Broken object level authorization

Secure data encryption

Using weak passwords

Implementing strong password reset APIs

Reusing API keys

Ignoring token validation

By relying on the client to filter data

By allowing direct access to sensitive data

By returning full data objects

By tailoring API responses to customer needs

Exposing all system files

Allowing verbose error messages

Disabling unnecessary features

Using default configurations

An attacker uses weak authentication

An attacker substitutes IDs in an API call

An attacker constructs API calls with SQL commands

An attacker performs a DDoS attack

Keeping them publicly accessible

Ignoring them as they are not in use

Properly inventorying and decommissioning them

Allowing them to access production data