resources

API Security — resources

roadmap.sh: https://roadmap.sh/best-practices/api-security

Books

• The Web Application Hacker’s Handbook (Stuttard & Pinto) — the deep reference on how web/API attacks work, so you know what you’re defending against.
• API Security in Action (Neil Madden) — practical, hands-on guide to securing APIs (auth, tokens, OAuth2, rate limiting).
• OAuth 2 in Action (Richer & Sanso) — clear explanation of OAuth2/OIDC flows that underpin modern API auth.
• Web Security for Developers (Malcolm McDonald) — approachable primer on the common vulnerability classes and their fixes.

Courses / practice

• OWASP API Security Top 10 — the canonical catalogue of the most critical API risks.
• OWASP API Security Cheat Sheet — concise, actionable hardening checklist for REST APIs.
• PortSwigger Web Security Academy — free, hands-on labs covering API/auth vulnerabilities and how to exploit and fix them.
• OWASP ZAP — free DAST scanner for testing your own APIs for security issues.