This week, we are mostly discussing best practices and tools: the best methods to pass API keys and other sensitive data, tools that attackers use to discover APIs, and why API security is never set-and-forget.
Risks
Never put API keys or other sensitive information in URLs and query parameters. These are visible to browser extensions, server logs, browser history, shared links, and the referrer. Always use headers or POST
method instead. See this article by Paris Mitton for details.