APIs & Security Best Practices
The Rust security baseline for HTTP APIs - auth, validation, secrets, dependencies, and operability.
How to Use This List
- Run through before shipping a new public endpoint or integration.
- Map each rule to CI checks where possible (
cargo audit, tests, linters). - Review after security incidents and dependency upgrades.
A - API Design
- Stable error envelope with machine-readable
code. Same JSON shape for all 4xx/5xx. - Version public APIs explicitly.
/v1prefix orAcceptheader contract. - Document status codes and idempotency rules. POST payments require
Idempotency-Key. - Paginate collections; cap
limit. Prevent unbounded DB reads. - Separate public and admin routers. Different auth and rate limits.
B - Authentication & Authorization
- Authenticate every protected route. Middleware or extractor - no forgotten endpoints.
- Short-lived access tokens; rotate refresh tokens. JWT
expvalidated with leeway. - Store passwords with argon2id. Never SHA-256 alone.
- Authorize per resource, not only per route. User A cannot read User B by ID guessing.
- Return 401 vs 403 correctly. Missing auth vs insufficient permission.
C - Input & Data
- Validate at HTTP boundary. Serde +
validatorbefore DB. - Parameterized SQL only. No
format!for query values. - Limit request body size. Tower
RequestBodyLimitLayer. - Verify webhook signatures. HMAC before processing payload.
- GraphQL depth/complexity limits. If GraphQL is exposed.
D - Secrets & Crypto
- Secrets from env/vault, never in git. Use
secrecytypes in config. - TLS everywhere in production. rustls or edge termination documented.
- Rotate keys with overlap window. JWT JWKS support multiple keys.
- Use vetted crypto crates. ring/RustCrypto - no custom ciphers.
- Redact Authorization and cookies in logs.
E - Abuse & Supply Chain
- Rate limit login and expensive endpoints. Redis counters when multi-instance.
- Run
cargo auditandcargo denyin CI. Fail on critical advisories. - Commit
Cargo.lockfor applications. Reproducible builds. - Vet new dependencies in PR. cargo vet or security review checklist.
- Security headers on HTTP responses. CSP,
X-Content-Type-Options,frame-ancestors.
FAQs
Top production security mistake?
Missing auth on a new route and logging secrets in debug traces.
Rust memory safety enough?
No - logic flaws, injection, and auth bugs still happen.
Minimum auth stack?
argon2 passwords or OIDC + JWT validation + HTTPS + rate limits.
OpenAPI public?
Disable or protect in production; exposes attack surface map.
Penetration test cadence?
Annually or before major public launch; fix findings by severity.
SBOM required?
Increasingly for enterprise customers - cargo cyclonedx.
unsafe code?
Isolate in audited crate; #![forbid(unsafe_code)] in API binary if policy allows.
GDPR delete?
Document data map; cascade delete tokens, cache keys, and backups policy.
Security champions?
One owner reviews security-sensitive PRs weekly.
Incident runbook?
Revoke tokens, rotate secrets, enable enhanced logging, notify customers per policy.
Related
- API Design Basics - REST conventions
- JWT & OAuth2 - Token flows
- Input Validation & Injection - Attack defenses
- Supply-Chain Security - Dependency audit
- Web Backends Best Practices - HTTP service rules
Stack versions: This page was written for Rust 1.97.0 (edition 2024), Tokio 1.x, Axum 0.8, serde 1.0, sqlx 0.8, clap 4, and Polars 0.46+.