Twelve API audits over 18 months. The findings repeat[1].
What is missing most
Source: My audit reports, 2025-2026
Secrets rotation is missing in all twelve. Outbound logging in eleven. Rate limiting in nine. Input validation in eight. Per-endpoint auth in six.
Secrets in particular: nobody rotates them on schedule, nobody has a runbook for "credential is leaked, rotate now," many secrets are 2+ years old.
The five controls
| Spec | Control | Why | Cheap fix |
|---|---|---|---|
| Rate limiting | Stops most enumeration / abuse | Vercel / Upstash / Cloudflare WAF | |
| Auth on every endpoint | No "internal" routes left exposed | Middleware + tests | |
| Input validation at boundary | Stops SQLi / XSS / type confusion | Zod / Pydantic | |
| Outbound logging | Detects exfiltration after the fact | Vercel logs / Datadog | |
| Secrets rotation | Limits blast radius | Doppler / 1Password / GitHub OIDC |
These are not the only controls but they are the ones whose absence shows up most. Get them right and you have eliminated the bulk of practical incident risk.
Implementation costs
Rate limiting: 2 hours with Upstash + Next.js middleware. Auth on every endpoint: 4-8 hours, mostly writing tests that verify it. Input validation: 1-2 days for an established codebase, ongoing thereafter. Outbound logging: 1 day to set up structured logs, ongoing thereafter. Secrets rotation: 2 days to implement, plus quarterly cron after.
Total cost: about a week of engineer time for an established product. That is the cheapest insurance you can buy.
What is overrated
Web Application Firewall (WAF) features beyond rate limiting. Modern WAFs catch generic attacks but a determined attacker maps around them.
DDoS protection at the application layer. Cloudflare's free tier handles this; you do not need a custom solution.
Penetration testing as a substitute for these basics. A pen test is great, but pays for itself only after the basics are done.
What is underrated
Audit logs that include "who accessed what" not just "what changed." Many teams log writes well and reads badly. Read access is where incidents typically begin.
A "kill switch" for compromised credentials. Disable a key in 30 seconds, not 30 minutes.
Recipe for a small team
Pick one control per month for five months. Document each. By the end of the half-year you have 80 percent of the API security ceiling for £0 of vendor cost and one engineer-month of time.
Most SMEs never do this. Don't be most SMEs.
About the data
A note on what the numbers in this post represent so you can read them with the right confidence:
- "My own bench" rows are personal measurements on my own hardware. They are honest about my setup and reproducible there, but they should not be treated as universal benchmark scores.
- Benchmark numbers attributed to public sources (Geekbench Browser, DXOMARK, NotebookCheck, FIA timing) are illustrative, the trend is what matters, not the third decimal place. Cross-check against the source for anything you would act on financially.
- Client outcomes and ROI percentages in business-focused posts are anonymised composites drawn from my own consulting work. Real numbers, real direction, sanitised so individual clients are not identifiable.
- Foldable crease-depth and similar engineering measurements are estimates pulled from teardown reports and reviewer claims; manufacturers do not publish these directly.
- Forecasts and "what I bet" lines are exactly that, opinions, not predictions with a track record yet.
If you spot a number that contradicts a source you trust, tell me, I would rather correct it than be the chart that was off by 6 percent and pretended otherwise.