API Security checklist

  • A1 Injection
  • A2 Weak authentication and session management
  • A3 XSS
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration
  • A6 Sensitive Data Exposure
  • A7 Missing Function Level Access Control
  • A8 Cross Site Request Forgery
  • A9 Using Components with Known Vulnerabilities
  • A10 Unvalidated Redirects and Forwards

See here