Require that every API is served exclusively over encrypted transport, so I want TLS enforced everywhere, plain HTTP either redirected or refused, weak protocols and ciphers disabled, and HSTS in place. I hold this as non-negotiable because anything traveling in the clear can be read or tampered with in transit, and there is simply no acceptable reason in this era to move credentials or data across an unencrypted connection. Strong transport security is also the foundation your consumers' trust is built on, since it is the visible promise that you take the confidentiality and integrity of their data seriously. Set a modern TLS baseline, keep it current as standards evolve, and verify it rather than assuming a certificate somewhere means the whole path is safe.
Transport (Security)
Strategies
API Data Is Classified and Protected
All data exposed through APIs must be classified by sensitivity level, with appropriate protections applied based on classification, ensuring that PII, financial data, and other sensitive informati...
APIs Earn and Maintain Consumer Trust
All APIs must demonstrate trustworthiness through transparent service level commitments, consistent deprecation policies, reliable performance, proper security, and clear legal terms, building the ...
Experiences
Security
API security is a top priority for any enterprise, with even higher standards for externally available APIs. However, security doesn’t end with the APIs an enterprise produces—it also applies to co...
Trust
Establish trust with API consumers will evolve and build over time, and is something that can be lost in a very short period of time. Trust will depend on other experiences like quality and reliabi...
Compliance
Compliance is the experience of meeting the legal, regulatory, and internal obligations that come with operating an API. For many teams it feels like a burden bolted on at the end, but the reality ...
Lifecycle
security Security Production
Security runs through every stop on this lifecycle, but it also deserves its own attention. OWASP alignment, vulnerability scanning, and defense in depth protect both the provider and the consumer....
balance Governance Production
Governance is how everything on this lifecycle stays aligned as an operation scales. Policies, rules, and standards applied consistently across teams are what keep APIs coherent without slowing eve...