Skip to main content
Securing API Endpoints: Best Practices
SecurityAPI DesignLucia AuthTypeScript

Securing API Endpoints: Best Practices

Andrius LukminasAndrius LukminasDecember 14, 20255 min read424 views

Security Checklist

Every API endpoint goes through this checklist:

1. Authentication

const { user, session } = await validateRequest();
if (!user) {
  return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}

2. Authorization

if (!['ADMIN', 'OWNER'].includes(user.role)) {
  return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
}

3. Input Validation

const validation = inputSchema.safeParse(body);
if (!validation.success) {
  return NextResponse.json({ error: 'Invalid input' }, { status: 400 });
}

4. Rate Limiting

Public endpoints (like login) have rate limits to prevent brute force attacks.

5. SQL Injection Prevention

Prisma's parameterized queries prevent SQL injection by default. Never use raw SQL with user input.

6. XSS Prevention

React escapes output by default. For HTML content, we sanitize with DOMPurify.

7. CORS Configuration

// Only allow requests from our domains
const allowedOrigins = [
  'https://boottify.com',
  'https://control.boottify.com',
];

Security is Continuous

We regularly audit endpoints and update dependencies to patch vulnerabilities.

Tags:#API Design#Lucia Auth#TypeScript
Andrius Lukminas

Written By

Andrius LukminasView all posts

Related Articles

Security Update: React2Shell (CVE-2025-55182) Audit Complete

Security Update: React2Shell (CVE-2025-55182) Audit Complete

Feb 11, 20263 min
From 7 God Files to Zero: Refactoring a 162K-Line Codebase

From 7 God Files to Zero: Refactoring a 162K-Line Codebase

Feb 11, 20269 min
The SaaS Downtime Crisis: 156 Major Incidents and What to Do About It

The SaaS Downtime Crisis: 156 Major Incidents and What to Do About It

Feb 9, 20269 min

Comments

0/5000 characters

Comments from guests require moderation.