The Perimeter Is Dead (Again)
We learned this lesson a decade ago with network security. Firewalls at the edge don't stop lateral movement. Zero Trust architecture moved authentication and authorization to every hop, not just the front door.
But somehow, we forgot this lesson when we built APIs.
Most companies today have a sophisticated API gateway: rate limiting, JWT validation, maybe a Web Application Firewall (WAF) that blocks SQL injection and XSS. They tick the compliance boxes, pass the pen test, and ship.
Then the breach happens anyway.
Not from the outside. From the inside—from a legitimate user accessing data they shouldn't be able to see.
BOLA: The Silent Epidemic
Broken Object Level Authorization (BOLA) is now the #1 API vulnerability according to OWASP. It's also the hardest to detect with traditional tools.
Here's the pattern:
- User A logs in and gets a valid JWT
- User A requests
GET /api/invoices/12345 - The gateway validates the JWT ✅
- The API returns invoice 12345 ✅
The problem? Invoice 12345 belongs to User B. User A just accessed someone else's data with a completely valid, authenticated request.
The gateway saw nothing wrong. The WAF saw nothing wrong. The logs show a normal 200 OK response.
This is BOLA. And it's everywhere.
Why Gateways Can't Fix This
API gateways operate at the wrong layer. They know about authentication (who you are) but not authorization (what you can access).
Authorization requires business logic. It needs to know:
- Which user owns which resources
- What roles and permissions apply
- Context: is this request coming from the right tenant, team, or org?
You can't encode this in a gateway rule. It's too dynamic, too contextual, too deeply tied to your domain model.
Yet most API security stops at the gateway.
The Solution: First-Class Authorization
Security needs to be in the code, not just in front of it.
Here's what that looks like in practice:
1. Never Trust the ID in the Request
If a user requests /api/invoices/12345, don't just query SELECT * FROM invoices WHERE id = 12345.
Always scope by the authenticated user:
SELECT * FROM invoices
WHERE id = 12345
AND user_id = {current_user_id}
This single pattern prevents 80% of BOLA exploits.
2. Make Authorization Explicit, Not Implicit
Don't rely on developers remembering to add WHERE user_id = ... to every query. Make it impossible to forget.
Use:
- Row-level security (RLS) in Postgres
- Scoped query builders that auto-inject tenant filters
- Authorization middleware that fails-closed by default
If you have to opt out of security checks instead of opting in, you've designed it right.
3. Audit the Edge Cases
BOLA doesn't just happen in CRUD endpoints. It happens in:
- Webhooks (can User A trigger a webhook for User B's account?)
- Bulk operations (does
DELETE /api/invoicesrespect user scope?) - Export endpoints (does the CSV download leak other users' data?)
- Aggregations (can User A infer User B's usage from public dashboards?)
Every non-standard endpoint is a potential BOLA vector.
4. Log Authorization Failures, Not Just Authentication Failures
Your SIEM is full of "invalid JWT" alerts. But how many "user tried to access resource they don't own" alerts do you see?
Probably zero.
Start logging every authorization check that fails. Pattern analysis will reveal attackers probing for BOLA vulnerabilities.
The Cultural Shift
The real challenge isn't technical—it's organizational.
Most security teams own the gateway. Most developers own the API logic. There's a gap in the middle where BOLA lives.
Fixing this requires:
- Security engineers who understand code (not just infrastructure)
- Developers who understand threat models (not just features)
- Shared ownership of the authorization layer
At Link11, we treat authorization as a platform capability, not a per-service concern. Every API inherits a battle-tested authz framework. Developers can't opt out.
The Uncomfortable Truth
No amount of gateway sophistication will protect you from logic bugs in your application layer.
Security isn't just a perimeter problem. It's a design problem.
You can't bolt it on at the edge. You have to bake it into every query, every function, every line of code that touches user data.
That's uncomfortable. It's slower. It requires discipline.
But it's the only way to stop BOLA—and the only way to build APIs you can actually trust.
The Checklist
If you're serious about API security in 2026, ask yourself:
- Can a valid user access another user's data by changing an ID in the URL?
- Do your queries auto-scope by tenant/user, or do developers have to remember?
- Are authorization failures logged and monitored?
- Do you have a shared authz framework, or is every service rolling its own?
- When was the last time you pen-tested for BOLA specifically (not just OWASP Top 10)?
If you can't answer "yes" to all five, your API is vulnerable.
Not to sophisticated attackers. To anyone who knows how to change a number in a URL.
The gateway won't save you. Only your code can.
Follow the journey
Subscribe to Lynk for daily insights on AI strategy, cybersecurity, and building in the age of AI.
Subscribe →