Need help with your APIs? I offer API discovery, governance & evangelism services. Explore services →
API Evangelist API Evangelist
Learnings
Guidance
Toolbox
Alignment
API Evangelist LLC

API Data Is Classified and Protected

All data exposed through APIs must be classified by sensitivity level, with appropriate protections applied based on classification, ensuring that PII, financial data, and other sensitive information is properly handled, encrypted, and only accessible to authorized consumers.

Policies

Data Classification (Security)

Require that every API classifies the data it moves and applies protections that match that classification, so I want fields and payloads labeled as public, internal, confidential, or regulated, wi...

Transport (Security)

Require that every API is served exclusively over encrypted transport, so I want TLS enforced everywhere, plain HTTP either redirected or refused, weak protocols and ciphers disabled, and HSTS in p...

Input Validation (Security)

Require that every API validates all incoming data against its schema before acting on it, so I want types, formats, lengths, ranges, and required fields checked at the edge and anything that does ...

CORS (Security)

Require that every browser-facing API sets a deliberate, least-privilege CORS policy, so I want explicit allowed origins, methods, and headers rather than a lazy wildcard slapped on to make an erro...

Privacy Policy

Publishing a privacy policy covering the producer and consumers of an API, as well as end-users of applications, adding to the legal resources that are available to 3rd party developers when puttin...

OWASP

Require that OWASP API security top ten has been applied as part of API security.

Experiences

Security

API security is a top priority for any enterprise, with even higher standards for externally available APIs. However, security doesn’t end with the APIs an enterprise produces—it also applies to co...

Trust

Establish trust with API consumers will evolve and build over time, and is something that can be lost in a very short period of time. Trust will depend on other experiences like quality and reliabi...

Compliance

Compliance is the experience of meeting the legal, regulatory, and internal obligations that come with operating an API. For many teams it feels like a burden bolted on at the end, but the reality ...

Legal

The legal aspects of producing and consuming APIs can quickly derail even the best-laid plans for API producers and disrupt the roadmaps of developers building applications and integrations. Terms ...