Hello, I'm Maneshwar. I'm building git-lrc, an AI code reviewer that runs on every commit. It is free, unlimited, and source-available on Github. Star Us to help devs discover the project. Do give it a try and share your feedback for improving the product.
APIs are the lifeline of modern applications, enabling systems to talk to each other and share data.But without strong access control and secure configurations, APIs can become major attack vectors.
Here's a focused breakdown on how to protect your APIs with proper access control and some essential security headers and configurations.
1. Throttle Requests
Prevent brute-force and DDoS attacks
Throttling restricts the number of requests a client can make in a defined time window. This is essential to stop:
- Brute-force login attempts where attackers guess credentials by trying many combinations rapidly.
- DDoS attacks that aim to overwhelm your backend with massive traffic.
In Go (Echo + Middleware):
e.Use(middleware.RateLimiter(middleware.NewRateLimiterMemoryStore(20))) // 20 reqs/sec per IP
Use more advanced strategies (e.g., token bucket) or tools like Nginx’s limit_req_zone, Cloudflare rate limiting, or AWS WAF for scalable throttling.
2. Use HTTPS
Encrypt everything in transit
Always serve your APIs over HTTPS to prevent eavesdropping and MITM (man-in-the-middle) attacks. Install a valid SSL/TLS certificate and redirect all HTTP traffic to HTTPS.
server {
listen 80;
server_name api.example.com;
return 301 https://$server_name$request_uri;
}
Cipher Security:
- Use: TLS 1.2+, AES-GCM, ECDHE, ChaCha20
- Avoid: RC4, DES, TLS 1.0/1.1
Most modern web servers allow you to configure cipher suites explicitly.
3. Enforce HSTS
Block SSL Strip Attacks
SSL Strip attacks work by downgrading secure HTTPS connections to HTTP. Enabling HSTS (HTTP Strict Transport Security) forces browsers to only use HTTPS for your domain.
How to Enable:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
This tells browsers to:
- Use HTTPS for future requests
- Include all subdomains
- Preload your domain into browser HSTS lists (optional, but safer)
4. Disable Directory Listings
Don’t expose your internals
Directory listings allow visitors to browse files if an index file isn't found. If left enabled, attackers can:
- Discover sensitive files (e.g., backups, environment configs)
- Probe your deployment for exploits
Apache:
Options -Indexes
Nginx:
autoindex off;
This is a small but critical configuration for preventing unnecessary exposure.
5. Restrict Private APIs
Use IP allowlists
Private APIs (like internal dashboards, service-to-service endpoints, or CI/CD webhooks) should never be publicly accessible.
Restrict access by IP on your server, reverse proxy, or at the cloud firewall level.
Nginx Example:
location /internal-api/ {
allow 192.168.0.0/24;
deny all;
}
In cloud environments:
- Use Security Groups (AWS)
- Use Firewall Rules (GCP)
- Use NSGs (Azure)
Also, consider mutual TLS (mTLS) for highly sensitive internal APIs.
Bonus: Combine with Authentication & Authorization
Access control isn’t just IP or rate limiting. Combine with:
- OAuth2 / JWT tokens
- API Keys (for low-risk access)
- RBAC (Role-Based Access Control) to enforce what each user/system can do
- Scopes and Claims to control access granularity
Final Thoughts
Securing an API isn’t just about slapping on authentication. It’s about layered defenses:
- Limit exposure (IP restrict, HSTS, disable listings)
- Minimize brute-force surface (throttling)
- Encrypt everything (HTTPS with good ciphers)
- Add strict access control (mTLS, roles, scopes)
Security isn’t a one-time setup. Regularly audit, test, and improve.
*AI agents write code fast. They also silently remove logic, change behavior, and introduce bugs -- without telling you. You often find out in production.
git-lrc fixes this. It hooks into git commit and reviews every diff before it lands. 60-second setup. Completely free.*
Any feedback or contributors are welcome! It's online, source-available, and ready for anyone to use.
⭐ Star it on GitHub:
HexmosTech
/
git-lrc
Free, Unlimited AI Code Reviews That Run on Commit
| 🇩🇰 Dansk | 🇪🇸 Español | 🇮🇷 Farsi | 🇫🇮 Suomi | 🇯🇵 日本語 | 🇳🇴 Norsk | 🇵🇹 Português | 🇷🇺 Русский | 🇦🇱 Shqip | 🇨🇳 中文 |
git-lrc
Free, Unlimited AI Code Reviews That Run on Commit
AI agents write code fast. They also silently remove logic, change behavior, and introduce bugs -- without telling you. You often find out in production.
git-lrc fixes this. It hooks into git commit and reviews every diff before it lands. 60-second setup. Completely free.
See It In Action
See git-lrc catch serious security issues such as leaked credentials, expensive cloud operations, and sensitive material in log statements
git-lrc-intro-60s.mp4
Why
- 🤖 AI agents silently break things. Code removed. Logic changed. Edge cases gone. You won't notice until production.
- 🔍 Catch it before it ships. AI-powered inline comments show you exactly what changed and what looks wrong.
- 🔁 Build a…
Top comments (0)