Status Services → Expedited WAF → Expedited SSL → IP Investigator → Real Email Resources → Knowledge Base → AWS In Plain English → Blog → Heroku Security Resources Use Cases → DDoS Protection → Bot & Malicious Traffic Blocking → Fraud Detection & Prevention → Credential Stuffing Protection → Compliance → OWASP Top 10 Compliance → AI Scraping Prevention → Geographic Request Blocking → Virtual Patching About Contact

API Security Checklist for Heroku

API Security Fundamentals

APIs are the backbone of modern applications, but they’re also a prime target for attackers. Unlike web applications where users interact through browsers, APIs are accessed programmatically—making them easier to probe and exploit at scale.

This checklist covers essential security controls for any API deployed on Heroku, regardless of your framework (Express, Rails, Django, FastAPI, etc.).

Authentication

Use Strong Authentication Methods

  • Require authentication for all non-public endpoints
  • Use industry-standard protocols (OAuth 2.0, JWT, API keys)
  • Never accept credentials in URL parameters (use headers or request body)
  • Implement proper password hashing (bcrypt, Argon2) for user accounts
  • Enforce strong password policies (minimum length, complexity)

API Key Management

  • Generate cryptographically secure API keys (minimum 32 characters)
  • Store API keys securely using Heroku config vars, never in code
  • Implement key rotation with grace periods for migration
  • Scope API keys by permission (read-only vs read-write)
  • Log API key usage for audit and anomaly detection

JWT Best Practices

  • Use strong signing algorithms (RS256 or ES256, not HS256 with weak secrets)
  • Set appropriate token expiration (15-60 minutes for access tokens)
  • Implement refresh token rotation for long-lived sessions
  • Validate all JWT claims (iss, aud, exp, nbf)
  • Never store sensitive data in JWT payload (tokens can be decoded)

Authorization

Implement Proper Access Control

  • Enforce authorization on every request (don’t rely on client-side checks)
  • Use role-based access control (RBAC) for multi-user systems
  • Validate resource ownership (users can only access their own data)
  • Prevent horizontal privilege escalation (User A accessing User B’s data)
  • Prevent vertical privilege escalation (regular user accessing admin functions)

Object-Level Authorization

  • Check authorization for every object access (IDOR prevention)
  • Use unpredictable object IDs (UUIDs instead of sequential integers)
  • Log authorization failures for security monitoring

Input Validation

Validate All Input

  • Validate input on the server (never trust client-side validation)
  • Use allowlists, not denylists (define what’s allowed, not what’s forbidden)
  • Validate data types (integers, strings, emails, dates)
  • Enforce length limits (prevent buffer overflows and resource exhaustion)
  • Sanitize input before database queries (prevent SQL injection)

Content Type Validation

  • Require Content-Type headers on requests with bodies
  • Validate Content-Type matches actual content
  • Limit accepted content types to what your API actually uses
  • Validate file uploads (type, size, content)

Rate Limiting

Protect Against Abuse

  • Implement rate limiting on all endpoints - Rate Limiting Guide
  • Apply stricter limits to authentication endpoints
  • Return rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining)
  • Use 429 status code for rate-limited requests
  • Consider per-user limits in addition to per-IP

DDoS Protection

Transport Security

Encrypt All Traffic

  • Force HTTPS on all endpoints - HTTPS Guide
  • Use TLS 1.2 or higher (disable TLS 1.0/1.1)
  • Enable HSTS to prevent protocol downgrade attacks
  • Use secure cookies (Secure, HttpOnly, SameSite flags)

Certificate Management

  • Use valid SSL certificates (Heroku ACM or custom)
  • Monitor certificate expiration
  • Consider certificate pinning for mobile apps

CORS Configuration

Secure Cross-Origin Requests

  • Configure CORS explicitly (don’t use wildcard * in production)
  • Allowlist specific origins that need access
  • Limit allowed methods to what your API uses
  • Limit allowed headers to what your API requires
  • Set appropriate max-age for preflight caching

Error Handling

Don’t Leak Information

  • Use generic error messages in production (no stack traces)
  • Return consistent error format (JSON with error code and message)
  • Don’t reveal internal implementation (database type, library versions)
  • Log detailed errors server-side for debugging
  • Use appropriate HTTP status codes (400, 401, 403, 404, 500)

Logging and Monitoring

Track Everything

  • Log all authentication attempts (success and failure)
  • Log authorization failures
  • Log input validation failures
  • Log rate limit violations
  • Include request IDs for tracing
  • Never log sensitive data (passwords, API keys, tokens)

Monitor for Anomalies

  • Alert on authentication spikes
  • Alert on error rate increases
  • Alert on unusual traffic patterns
  • Review logs regularly

API Versioning

Manage Breaking Changes

  • Version your API (URL path or header)
  • Maintain backward compatibility when possible
  • Document deprecation timelines
  • Provide migration guides for breaking changes

Documentation

Security in Documentation

  • Document authentication requirements
  • Document rate limits
  • Document error codes
  • Keep documentation current
  • Don’t document internal/admin endpoints publicly

Testing

Security Testing

  • Test authentication bypass attempts
  • Test authorization (IDOR) vulnerabilities
  • Test input validation with malicious payloads
  • Test rate limiting
  • Run automated security scans (OWASP ZAP, Burp Suite)

Resources

Get Started

Install Expedited WAF Book a Security Review