Introduction

Welcome to the OWASP API Security Top 10 - 2023!

Welcome to the second edition of the OWASP API Security Top 10!

This awareness document was first published back in 2019. Since then, the API Security industry has flourished and become more mature. We strongly believe this work has positively contributed to it, due to it being quickly adopted as an industry reference.

APIs play a very important role in modern application architecture. But since innovation has a different pace than creating security awareness, we believe it's important to focus on creating awareness for common API security weaknesses.

The primary goal of the OWASP API Security Top 10 is to educate those involved in API development and maintenance, for example, developers, designers, architects, managers, or organizations. You can know more about the API Security Project visiting the project page.

If you're not familiar with the OWASP top 10 series, we recommend checking at least the following top 10 projects:

• OWASP Cloud-Native Application Security Top 10
• OWASP Desktop App Security Top 10
• OWASP Docker Top 10
• OWASP Low-Code/No-Code Top 10
• OWASP Machine Learning Security Top Ten
• OWASP Mobile Top 10
• OWASP TOP 10
• OWASP Top 10 CI/CD Security Risks
• OWASP Top 10 Client-Side Security Risks
• OWASP Top 10 Privacy Risks
• OWASP Serverless Top 10

None of the projects replaces another: if you're working on a mobile application powered by a back-end API, you're better off reading both the corresponding top 10's. The same is valid if you're working on a web or desktop application powered by APIs.

In the Methodology and Data section, you can read more about how this edition was created. For now, we encourage everyone to contribute with questions, comments, and ideas at our GitHub repository or Mailing list.