Case Study — API Security / Application Security
API Security Assessment & Hardening Using Node.js
This project demonstrates the process of identifying common API security weaknesses and applying layered controls to harden a REST API. The API was built with Node.js and Express, tested with Thunder Client, and secured using JWT authentication, role-based access control, rate limiting, input validation, and security logging.
Status
Completed Case Study
Focus
API Security
Stack
Node.js • Express
Controls
JWT • RBAC • Zod
What This Project Shows
Objective
The objective of this project was to demonstrate the identification, exploitation, and mitigation of common API security vulnerabilities within a modern web application environment. Rather than focusing only on building a functional API, this project examined how insecure design decisions can expose sensitive data and then applied layered controls to reduce risk.
The project provided hands-on practice with authentication, authorization, input validation, abuse prevention, and security logging. These are core areas of API security because modern applications often depend on APIs to process sensitive user and business data.
Scenario
APIs are frequently targeted by attackers because they expose application logic and data through structured endpoints. Weak authentication, missing authorization checks, and poor input validation can lead to data exposure, privilege abuse, or service disruption.
In this scenario, a REST API was intentionally developed with limited security controls to simulate a vulnerable environment. The API was then tested to identify exposed routes and access control weaknesses before security controls were added and validated.
Environment and Tools
The project was built in a local development environment using Node.js and Express. Thunder Client was used to send API requests, validate responses, and capture testing evidence.
JSON Web Tokens were used to support authentication, Zod was used for input validation, and Express Rate Limit was used to limit repeated login attempts. The project also included security event logging to show how suspicious behavior can be recorded for later review.
Vulnerability Simulation
During the initial phase, the API included an exposed profile endpoint that returned sensitive user information without requiring authentication. This demonstrated how missing authentication can expose data to anyone who knows or discovers an endpoint.
This type of issue is common in poorly secured APIs because developers may focus on functionality first and delay access control until later. The test showed why authentication and authorization must be enforced as part of the API design, not added as an afterthought.
Security Controls Implemented
The first major improvement was adding JWT authentication. After a successful login, the API returns a token that must be included in the Authorization header to access protected endpoints. This prevents unauthenticated access to sensitive routes.
Role-based access control was then added to protect administrative functionality. Standard users can access normal protected routes, but only users with the admin role can access the admin endpoint. This helps prevent privilege abuse and unauthorized access to sensitive functionality.
Additional controls included login rate limiting to reduce brute-force attempts, Zod input validation to reject malformed requests, and security logging to record failed login attempts, missing token attempts, invalid token attempts, and unauthorized admin access attempts.
Validation and Results
Testing confirmed that the hardened API behaved as intended. The profile endpoint required a valid JWT token, the admin endpoint denied access to standard users, and admin users were able to access restricted functionality only after successful authentication.
Rate limiting blocked repeated failed login attempts, and input validation rejected malformed requests before they reached the authentication logic. Security logs also showed evidence of invalid inputs, missing tokens, failed logins, and unauthorized access attempts.
The results show that the API moved from an insecure implementation to a layered security model with multiple controls working together.
Skills and Concepts Demonstrated
Why This Project Matters
API security is important because APIs often provide direct access to application data and business logic. If authentication, authorization, validation, and abuse prevention are weak, attackers may be able to access data, perform unauthorized actions, or overwhelm services.
This project matters because it shows practical application security thinking: identify insecure behavior, understand the risk, implement controls, and validate the outcome with evidence. It also expands the portfolio beyond SIEM and network architecture into secure application design.
What Could Be Improved
Future improvements could include integrating API security logs with a SIEM platform such as Wazuh, adding persistent database storage, improving token handling with refresh tokens, and deploying the API behind a cloud API gateway or reverse proxy.
Additional enhancements could include automated security testing, OWASP API Security Top 10 mapping, Docker containerization, and expanded logging for detection engineering use cases.
Resume Bullet
Designed and secured a Node.js API by identifying vulnerabilities and implementing JWT authentication, role-based access control, rate limiting, input validation, and security logging to protect against real-world API attacks.
GitHub Repository
The GitHub repository contains the API source code, screenshots, report, and supporting documentation for this application security case study.
Open RepositoryFull Report and Supporting Documentation
The full report includes the project objective, scenario, environment, vulnerability simulation, authentication and access control implementation, rate limiting, input validation, security logging, validation results, and future improvements.