Think It's Too Soon to Care About API Security as a Junior Developer?

When was the last time you thought about the security of an API you used in your project? If you're a junior front-end developer, the answer might be 'not often'. For many of us, the focus is on building beautiful UIs, improving performance, and translating designs into functional web applications. But what if I told you that your hard work could be damaged if API security is overlooked? As a front-end developer primarily working with Next.JS, I was in the same situation not long ago.

For the most part, my understanding of APIs consisted of fetching data and displaying it in the UI. However, over the past two years, I embarked on a journey to explore API security. Through courses, conferences, and hands-on projects, I not only learned about securing APIs but also realized how essential this knowledge is for developers at all levels. In this article, I’ll share my experience with learning API security, highlight its importance, and give examples of how I integrated the new findings into my day-to-day work in the hope of inspiring junior developers to start building secure coding habits when working with APIs.

How I Came Across API Security

When I started as a front-end developer, I was drawn to the visual and interactive aspects of web development. Working with frameworks like Next.JS, I enjoyed creating dynamic user interfaces and integrating APIs to fetch data. Admittedly, at that point, I was only concerned with learning to work with APIs, security didn't even cross my mind. I assumed that third-party APIs I was consuming in my projects were secure by default and rarely questioned whether the data being returned was safe to display.

This mindset changed when I came across a video on API security in late summer of 2023. It was an interview with Corey Ball providing a live demo on hacking APIs and speaking about the API Penetration Testing course he had authored on APIsec University. Despite not having understood much of the technicalities, this new topic piqued my curiosity. What began as a casual YouTube binge turned into a deep dive into API security.

Why I Started My API Security Journey

Data breaches are distressing events that erode trust between users and companies. When users share personal information, they expect it to be protected. A breach not only damages this trust but also undermines the hard work of developers. According to a 2024 cybersecurity report , 66% of consumers would lose faith in a company following a data breach, emphasizing the need for robust security measures. As a front-end developer and user of web apps, I felt driven to ensure my work didn’t contribute to potential harm. This motivation led me to explore API security, by enrolling in the API Security Fundamentals course at APIsec University.

The course introduced me to real-world API breaches from major companies, highlighting how failing to handle APIs securely can lead to devastating consequences like data theft and account takeovers. I learned about the OWASP API Security Top 10 and the broader application security landscape. This knowledge shifted my perspective on APIs—they’re not just tools for fetching data but critical connections to sensitive information.

That was when I realized that security is not merely an add-on that a developer shouldn't necessarily be concerned with. It's a key component that enables us to build resilient applications. By integrating security into our workflows, we protect our users and ensure our hard work results in trustworthy, functional applications. This perspective-shifting moment transformed my approach to development, making security a core focus rather than a 'nice-to-know'.

Learning About API Security: Courses, Tools, and Challenges

Since September 2023 I completed several courses, attended multiple webinars and conferences, and earned two certifications—CASA and ACP. The courses covered essential topics such as:

The instructors, all professionals in the field, made this complex topic of API security engaging, accessible and concise. They showcased real-world examples, practical tools, and strategies to secure APIs, which felt increasingly relevant to my work. When joining the Discord channel, what stood out to me, though, was the supportive and inclusive community. The spirit of education and collaboration is alive—security professionals share their expertise and help each other grow their knowledge.

Was this topic intimidating at first? Absolutely. As someone who had just learned to fetch data from APIs, diving into API security felt quite challenging. However, I discovered that learning API security helped me understand APIs better. Pacing my learning time and focusing on a particular aspect of API security at a time made the journey less overwhelming. Discovering API security has given me a surprising and interesting approach to how I learn web development and I can say that my curiosity for the topic is only increasing.

Applying API Security in Practical Projects

After taking a couple of courses, I started thinking about how I could translate these new findings into my day-to-day work. To apply what I learned, I started with a simple practice project in Next.JS consuming a retailer's API found on the Rapid API marketplace and gradually built on it as I learned more. The project allowed users to search for products and view suggestions in real-time as they typed. Here’s how I integrated API security concepts into my project:

  • Rate Limiting: To prevent abuse of the API, I implemented rate limiting using middleware. This added an extra layer of protection, ensuring that the API wasn’t overused.
  • Type Safety and Validation: Using TypeScript with Zod schema validation, I ensured only valid data was returned and displayed.
  • API Documentation: I created an OpenAPI spec file, enabling APIsec Scanner —a fully automated tool, to scan the API for vulnerabilities.
  • Security Headers: I configured headers to protect against common web attacks.

To me, this project was more than a learning exercise—it was a practical demonstration of how API security could become a natural part of my development workflow.

For front-end or full-stack developers looking to work securely with APIs, I’d encourage exploring the security features of your framework. For example, if working with Next.JS, leveraging features like middleware and server-only modules, or using NextAuth.js for session management it becomes easier to build applications that are not only functional but also more resilient against security threats.

As part of my journey, I was also introduced to tools like APIsec Scanner, Postman, and Burp Suite which allowed me to evaluate my projects from a security perspective and assess the APIs I worked with. That's why I regularly attend webinars that offer actionable examples and ideas on, for example, testing for Broken Object Level Authorization (BOLA) using automated tools.

Building API Security Habits in Daily Development

One of the biggest lessons I learned is that security isn’t an afterthought—it’s a key component in building robust web applications. Just as we prioritize performance, accessibility or personalization, security should be integrated into our workflow from the start. Here are a few habits I’ve adopted:

  • Input Validation: Validate incoming data to prevent malicious inputs, even when integrating third-party APIs. If the data source is compromised there's a high chance your app will be too.
  • Separate Responsibilities: Avoid filtering data in the UI. That’s the application’s job. The UI is just the presentation layer which can be easily by-passed. See the Real-World Breach: Venmo case study to understand how impactful this can be.
  • Authentication vs. Authorization: Ensure the app enforces strict authorization rules. For example, authentication verifies who a user is, but authorization determines what data they can access.

The benefit of approaching development with API security awareness in mind is that we can write more secure code from the onset, identify potential vulnerabilities early and adopt best practices that strengthen the overall security posture of our applications.

What I'm Currently Studying

The latest course I've enrolled in is titled API Security in the World of DevSecOps and is led by cybersecurity expert Scott Bly. This course explores the intersection of API security and DevSecOps, providing a practical framework for embedding security into every phase of the software development lifecycle. As a developer, it's important to understand why releasing code to market quickly and repeatably has led to an increase in vulnerability rates and what one can do to prevent or fix code problems in Dev versus Ops.

One surprising fact I've learned was that the ratio of developers to application security engineers is about 1200:1 and that this ratio is not anticipated to change soon! Thus, given the staggering workload for AppSec teams to keep up with the pace of innovation and code release, developers play an increasingly active role in ensuring that their code is as secure as possible.

It's Not Too Early to Care About API Security

Reflecting on my journey so far, I can confidently say that learning API security has transformed my approach to web development. It has given me the awareness and tools to build more secure applications and develop a security-first mindset.

If you’re a junior developer, I encourage you to start exploring API security. Begin with small steps—enroll in a course of your liking, experiment with tools, or start applying security best practices to your side projects. The knowledge you gain will not only enhance your skills but also protect the work you’ve poured your heart into. The learning experience is much more rewarding and enjoyable when it's a consequence of your initiative rather than a requirement from your company. If you're ready to take the first step, check out the resources on  APIsec University  or dive into the OWASP API Security Top 10 !


Liked this article? Share it on:

logo

Hope you enjoyed exploring my coding journey and found something useful or inspiring. I'd be glad if you checked back later for updates and new projects!

Socials

Connect with me on my social handles.

Copyright 2023 ©Devroxana. All rights reserved.

Part of the images on this website have been provided by Icons8 and IconScout.

To improve your experience on this site, we use privacy-friendly analytics. By continuing to visit you agree to our privacy policy. Please review it. Understood X