Authentication and Authorization
Implement strong authentication using OAuth 2.0 with OpenID Connect for user authentication. Use mutual TLS (mTLS) for API client authentication in addition to OAuth tokens. Implement multi-factor authentication (MFA) for sensitive operations. Never use basic authentication or API keys alone for financial APIs. Validate all JWT tokens including signature, expiration, audience, and issuer claims. Implement proper session management with secure, httpOnly cookies for web applications.
Encryption Requirements
Encrypt all data in transit using TLS 1.3 or TLS 1.2 with strong cipher suites only (AES-GCM). Disable TLS 1.0 and 1.1 entirely. Encrypt sensitive data at rest using AES-256 encryption with proper key management. Implement key rotation policies and use hardware security modules (HSMs) for key storage in production. Never store plaintext passwords, API keys, or cryptographic keys in source code or configuration files.
TLS Configuration
Configure web servers with strong TLS settings: Use TLS 1.3 or TLS 1.2 minimum. Enable HSTS with long max-age and includeSubDomains. Disable TLS compression (CRIME attack prevention). Use 2048-bit RSA or 256-bit ECDSA certificates minimum. Implement certificate pinning for mobile applications. Test TLS configuration regularly with SSL Labs or similar tools.
Data at Rest Encryption
Encrypt sensitive data fields in databases including account numbers, transaction details, and personal information. Use transparent database encryption (TDE) for entire databases. Implement field-level encryption for highly sensitive data. Store encryption keys separately from encrypted data using key management services (AWS KMS, Azure Key Vault, HashiCorp Vault).
API Rate Limiting and Throttling
Implement rate limiting to prevent abuse and ensure fair resource allocation. Set different rate limits by client, endpoint, and operation type. Typical limits for financial APIs: 10-50 requests per second per client for read operations, 1-5 requests per second for write operations, and burst allowances for occasional spikes. Return 429 status codes with Retry-After headers when limits exceeded. Implement exponential backoff in client applications.
Input Validation and Sanitization
Validate all input rigorously at API boundaries. Use strong typing and schema validation (OpenAPI/JSON Schema). Implement allow-lists rather than deny-lists for input validation. Sanitize inputs to prevent injection attacks (SQL, NoSQL, XML, LDAP). Validate data types, formats, lengths, and ranges. Reject unexpected input rather than attempting to sanitize. Implement context-appropriate encoding for outputs preventing XSS attacks.
Security Headers
Configure security headers on all API responses: Content-Security-Policy: Prevent XSS attacks. X-Content-Type-Options: nosniff prevents MIME type sniffing. X-Frame-Options: DENY prevents clickjacking. Strict-Transport-Security: Enforce HTTPS. X-XSS-Protection: Enable browser XSS filters (legacy browsers). Permissions-Policy: Control browser features. Never expose sensitive information in error messages or headers.
Logging and Monitoring
Implement comprehensive logging for security events: All authentication attempts (success and failure), authorization failures, unusual access patterns, rate limit violations, and API errors. Never log sensitive data including passwords, tokens, account numbers, or personal information. Implement real-time monitoring and alerting for security incidents. Use SIEM systems for log aggregation and analysis. Retain logs for compliance periods (typically 7 years for financial regulations).
Security Testing
Conduct regular security testing including: Automated vulnerability scanning (OWASP ZAP, Burp Suite), penetration testing (annually minimum), OAuth flow security testing, injection attack testing (SQL, XSS, etc.), authentication bypass attempts, and authorization testing. Implement security testing in CI/CD pipelines. Address vulnerabilities according to severity: Critical (immediate), High (within 7 days), Medium (within 30 days), Low (within 90 days).
