Need help with your APIs? I offer API discovery, governance & evangelism services. Explore services →
API Evangelist API Evangelist
Learnings
Guidance
Toolbox
Alignment
API Evangelist LLC

Input Validation (Security)

Require that every API validates all incoming data against its schema before acting on it, so I want types, formats, lengths, ranges, and required fields checked at the edge and anything that does not conform rejected with a clear error. I am unbending on this because untrusted input is the root of a huge share of API breaches, from injection to overflow to malformed payloads that crash a handler, and the client cannot be trusted to send you clean data no matter how nicely you documented it. Validating against your OpenAPI schema turns your contract into a working defense rather than a suggestion. Reject early, reject clearly, and never let unvalidated data reach your business logic or datastore.

Strategies

API Data Is Classified and Protected

All data exposed through APIs must be classified by sensitivity level, with appropriate protections applied based on classification, ensuring that PII, financial data, and other sensitive informati...

Experiences

Security

API security is a top priority for any enterprise, with even higher standards for externally available APIs. However, security doesn’t end with the APIs an enterprise produces—it also applies to co...

Quality

The quality of HTTP APIs powering an enterprise tends to decline as the number of ungoverned APIs grows across internal, partner, and public landscapes. Low-quality APIs lead to poor downstream exp...

Trust

Establish trust with API consumers will evolve and build over time, and is something that can be lost in a very short period of time. Trust will depend on other experiences like quality and reliabi...

Lifecycle

checklist Testing Beta

Testing is how I know the API does what the contract says. Contract testing, integration testing, and validation against the definition keep implementation and documentation honest with each other....

security Security Production

Security runs through every stop on this lifecycle, but it also deserves its own attention. OWASP alignment, vulnerability scanning, and defense in depth protect both the provider and the consumer....

balance Governance Production

Governance is how everything on this lifecycle stays aligned as an operation scales. Policies, rules, and standards applied consistently across teams are what keep APIs coherent without slowing eve...