STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Application Programming Interface (API) Security Requirements Guide

Version

V1R1

Benchmark ID

API_SRG

Total Checks

65

Tags

application
CAT I: 3CAT II: 62CAT III: 0

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (65)

V-274497MEDIUMThe API must encrypt data in transit.V-274507MEDIUMThe API must be configured to use approved authorizations for access control.V-274517MEDIUMThe API must enable monitoring and alerts.V-274519MEDIUMThe API Gateway must generate audit records when successful/unsuccessful attempts to access privileges occur.V-274520MEDIUMThe API must generate audit records when successful/unsuccessful attempts to access privileges occur.V-274522MEDIUMThe API Gateway must generate audit records of what type of events occurred.V-274523MEDIUMThe API must monitor the usage of API keys to detect any anomalies.V-274524MEDIUMThe API must generate audit records of what type of events occurred.V-274525MEDIUMThe API must audit rate-limiting events.V-274526MEDIUMThe API Gateway must audit rate limiting events.V-274527MEDIUMThe API Gateway must audit authentication and authorization information.V-274528MEDIUMThe API must audit authentication and authorization information.V-274529MEDIUMThe API Gateway must audit exceptions and errors that occur during the processing.V-274530MEDIUMThe API must audit exceptions and errors that occur during the processing.V-274531MEDIUMThe API Gateway must audit execution time and performance metrics.V-274532MEDIUMThe API must audit execution time and performance metrics.V-274533MEDIUMThe API Gateway must audit request and response details (such as method, URL, headers, body, status, etc.).V-274534MEDIUMThe API must audit request and response details (such as method, URL, headers, body, status, etc.).V-274537MEDIUMAll defined API elements must be documented.V-274556MEDIUMAPI keys must be configured with usage restrictions.V-274557MEDIUMThe API must limit the exposure of endpoints.V-274559MEDIUMThe API must use an approved DOD enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).V-274600MEDIUMThe API must protect Session IDs via encryption.V-274603MEDIUMThe API keys must be securely generated using a FIPS-validated Random Number Generator (RNG).V-274606MEDIUMThe API implementation must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of API keys.V-274607HIGHThe API must encrypt sensitive cached data.V-274612MEDIUMThe API must employ throttling.V-274613MEDIUMThe API must specify allowed origins when using Cross-Origin Resource Sharing (CORS).V-274615MEDIUMThe API must not disclose sensitive data in error messages.V-274643MEDIUMAccess to API privileged features and functions must be restricted.V-274672MEDIUMThe API must require periodic reauthentication.V-274677MEDIUMThe API must have a mechanism for cache invalidation when using cache policy data.V-274678MEDIUMWhen stateless authentication tokens are used, the API must configure them with appropriate security settings.V-274679MEDIUMThe API's internal authorization tokens must not be provided back to the user.V-274680MEDIUMAPI access tokens must be configured to expire.V-274681MEDIUMAPI refresh tokens must be configured to expire.V-274682MEDIUMThe API must enforce per-client rate limits.V-274697MEDIUMClients must be configured to route requests through a single API gateway that enforces the association and transmission of organization-defined security attributes with each request.V-274707MEDIUMThe API must use a gateway.V-274709HIGHThe amount of data returned by the API must be restricted.V-274710HIGHThe API must use TLS version 1.2 at a minimum.V-274712MEDIUMThe API must audience-restrict access tokens in accordance with organization-defined identification and authentication policy.V-274714MEDIUMThe API must use parameterized queries.V-274715MEDIUMThe API must provide input validation.V-274723MEDIUMThe API must authenticate remote commands.V-274767MEDIUMThe API must encode outputs.V-274768MEDIUMThe API must use a static type of system.V-274769MEDIUMThe API must use Web Application Firewall (WAF).V-274783MEDIUMThe API must use a FIPS-validated cryptographic module to provision digital signatures for tokens.V-274785MEDIUMAPI services identified within the system as unnecessary and/or nonsecure must be disabled.V-274830MEDIUMThe API must provide protected storage for API keys.V-274835MEDIUMAPI must use a circuit breaker pattern to handle failures and timeouts.V-274839MEDIUMCryptographic keys that protect access tokens must be protected.V-274840MEDIUMThe API must protect the private keys used to sign assertions and tokens.V-274841MEDIUMGenerating assertions must be restricted.V-274842MEDIUMThe API must issue assertions in accordance with organization-defined identification and authentication policy.V-274843MEDIUMThe API must refresh assertions in accordance with organization-defined identification and authentication policy.V-274844MEDIUMThe API must revoke assertions in accordance with organization-defined identification and authentication policy.V-274845MEDIUMThe API must time-restrict assertions in accordance with organization-defined identification and authentication policy.V-274846MEDIUMThe API must audience-restrict assertions in accordance with organization-defined identification and authentication policy.V-274847MEDIUMThe API must generate access tokens in accordance with organization-defined identification and authentication policy.V-274848MEDIUMThe API must issue access tokens in accordance with organization-defined identification and authentication policy.V-274849MEDIUMThe API must refresh access tokens in accordance with organization-defined identification and authentication policy.V-274850MEDIUMThe API must revoke access tokens in accordance with organization-defined identification and authentication policy.V-274851MEDIUMThe API must time-restrict access tokens in accordance with organization-defined identification and authentication policy.