Backend API Security in 2022, The Threat Model

TL;DR — Real threats in 2022: credential stuffing, broken access controls, JWT misuse, SSRF, supply chain. Priority: authn/authz correctness > rate limiting > input validation > audit logging. Most “we got hacked” stories trace to one of these. November walks each.

After October’s ETL theme, November pivots to API security. Sub-theme of the year. The patterns aren’t new; the misapplications are widespread.

This first post is the map: what we’re actually defending against and why November covers what it covers.

What attackers actually do

From breach reports, OWASP analysis, and bug bounty trends in 2022:

1. Credential stuffing. Reuse leaked passwords from other sites. The most common.
2. Broken authorization. Endpoints don’t check “is this user allowed to access this resource?” Number 1 on OWASP Top 10 2021.
3. JWT misuse. Signing algorithm confusion, missing verification, infinite token lifetimes.
4. Injection (SQL, NoSQL, command). Still a thing despite 20 years of warnings.
5. SSRF (Server-Side Request Forgery). Backend fetches a URL the user controls; reaches internal services.
6. Supply chain. Compromised npm/PyPI packages.

Each accounts for a meaningful slice of real incidents. The mitigations aren’t exotic; they’re discipline.

What November covers

12 more posts:

• Nov 4: JWT done right
• Nov 7: Why JWT for sessions is usually wrong
• Nov 9: Refresh tokens and revocation
• Nov 11: OAuth 2.1 vs 2.0
• Nov 14: Rate limiting algorithms
• Nov 16: Distributed rate limiting with Redis
• Nov 18: API keys vs OAuth for third parties
• Nov 21: CORS — what it actually protects
• Nov 23: CSRF defense patterns
• Nov 25: Input validation and OWASP Top 10
• Nov 28: Audit logging
• Nov 30: Month retro

What’s NOT covered

• Frontend XSS, CSP, SameSite cookies. Important; different domain.
• Network security, TLS configuration. Important; assumed.
• Encryption at rest. Important; depends on infrastructure.
• Specific compliance regimes (HIPAA, PCI-DSS, SOC 2). Audit work; not a writeup topic.
• Reverse engineering / mobile binary protection. Different domain.

The priority order

For a typical SaaS backend, fix in this order:

Tier 1 (always):

• Authentication is correct (proper hash, no plaintext, MFA option)
• Authorization checks per request (user can only access their own data)
• TLS everywhere
• No secrets in logs / errors

Tier 2 (within first 6 months):

• Rate limiting on auth endpoints
• Account lockout / CAPTCHA on repeated failures
• JWT setup follows the rules
• Input validation at boundaries

Tier 3 (within first year):

• Audit logging
• Distributed rate limiting
• CSRF protection
• Dependency scanning

Tier 4 (scale-up):

• WAF
• Bug bounty program
• Pen testing
• SOC 2 / compliance audits

Most teams I see have skipped tier 1. Don’t.

What “good enough” looks like

For a typical $10K-100K MRR SaaS:

• Auth via Auth0 / Clerk / WorkOS or a well-known framework (Devise, Django auth, Lucia)
• HTTPS everywhere via Let’s Encrypt / cert-manager
• Per-route authz middleware that checks “does this user own this resource”
• Rate limit on login + password reset
• JWT lifetime ≤ 15 minutes + refresh tokens with revocation
• Logs to a SIEM you actually read
• Dependency scanning in CI

That covers ~95% of real-world threats. Past this, hire a security professional.

What 2022 specifically changed

A few things noticeably different vs 2018-2020:

• NPM / PyPI supply chain attacks. Multiple high-profile in 2021-2022. Pin dependencies; review changes; signing.
• OAuth 2.1 draft. Tightens grants, requires PKCE, deprecates legacy patterns.
• Zero-trust architectures. Network perimeter is dead; per-request auth is standard.
• Passkeys / WebAuthn. Adoption rising. Phishing-resistant.
• AI-generated phishing. Concrete uptick. MFA is no longer optional.

Common Pitfalls (preview)

• “It’s behind a VPN.” Assume external. Always.
• Trusting headers. X-User-Id from a “trusted upstream.” Don’t.
• Custom crypto. Don’t.
• JWT with alg: none. Documented attack from 2015; still works on some apps.
• Rate limit on IP only. Doesn’t stop cloud botnets.

Each gets a dedicated post.

Wrapping Up

Two months of writing about pipelines and data; November is the user-facing side of the same backends. Friday: JWT done right — the most-misused token format on the internet.