Home About Projects Blog Subscribe Login

The API First-Class Security: Beyond the Gateway

We put a WAF in front of our APIs and think we're safe. We aren't. Broken Object Level Authorization (BOLA) is the top vulnerability of 2026. Here's how to build security into the logic, not just the perimeter.

The Perimeter Is Dead (Again)

We learned this lesson a decade ago with network security. Firewalls at the edge don't stop lateral movement. Zero Trust architecture moved authentication and authorization to every hop, not just the front door.

But somehow, we forgot this lesson when we built APIs.

Most companies today have a sophisticated API gateway: rate limiting, JWT validation, maybe a Web Application Firewall (WAF) that blocks SQL injection and XSS. They tick the compliance boxes, pass the pen test, and ship.

Then the breach happens anyway.

Not from the outside. From the inside—from a legitimate user accessing data they shouldn't be able to see.

BOLA: The Silent Epidemic

Broken Object Level Authorization (BOLA) is now the #1 API vulnerability according to OWASP. It's also the hardest to detect with traditional tools.

Here's the pattern:

The problem? Invoice 12345 belongs to User B. User A just accessed someone else's data with a completely valid, authenticated request.

The gateway saw nothing wrong. The WAF saw nothing wrong. The logs show a normal 200 OK response.

This is BOLA. And it's everywhere.

Why Gateways Can't Fix This

API gateways operate at the wrong layer. They know about authentication (who you are) but not authorization (what you can access).

Authorization requires business logic. It needs to know:

You can't encode this in a gateway rule. It's too dynamic, too contextual, too deeply tied to your domain model.

Yet most API security stops at the gateway.

The Solution: First-Class Authorization

Security needs to be in the code, not just in front of it.

Here's what that looks like in practice:

1. Never Trust the ID in the Request

If a user requests /api/invoices/12345, don't just query SELECT * FROM invoices WHERE id = 12345.

Always scope by the authenticated user:

SELECT * FROM invoices 
WHERE id = 12345 
  AND user_id = {current_user_id}

This single pattern prevents 80% of BOLA exploits.

2. Make Authorization Explicit, Not Implicit

Don't rely on developers remembering to add WHERE user_id = ... to every query. Make it impossible to forget.

Use:

If you have to opt out of security checks instead of opting in, you've designed it right.

3. Audit the Edge Cases

BOLA doesn't just happen in CRUD endpoints. It happens in:

Every non-standard endpoint is a potential BOLA vector.

4. Log Authorization Failures, Not Just Authentication Failures

Your SIEM is full of "invalid JWT" alerts. But how many "user tried to access resource they don't own" alerts do you see?

Probably zero.

Start logging every authorization check that fails. Pattern analysis will reveal attackers probing for BOLA vulnerabilities.

The Cultural Shift

The real challenge isn't technical—it's organizational.

Most security teams own the gateway. Most developers own the API logic. There's a gap in the middle where BOLA lives.

Fixing this requires:

At Link11, we treat authorization as a platform capability, not a per-service concern. Every API inherits a battle-tested authz framework. Developers can't opt out.

The Uncomfortable Truth

No amount of gateway sophistication will protect you from logic bugs in your application layer.

Security isn't just a perimeter problem. It's a design problem.

You can't bolt it on at the edge. You have to bake it into every query, every function, every line of code that touches user data.

That's uncomfortable. It's slower. It requires discipline.

But it's the only way to stop BOLA—and the only way to build APIs you can actually trust.

The Checklist

If you're serious about API security in 2026, ask yourself:

  1. Can a valid user access another user's data by changing an ID in the URL?
  2. Do your queries auto-scope by tenant/user, or do developers have to remember?
  3. Are authorization failures logged and monitored?
  4. Do you have a shared authz framework, or is every service rolling its own?
  5. When was the last time you pen-tested for BOLA specifically (not just OWASP Top 10)?

If you can't answer "yes" to all five, your API is vulnerable.

Not to sophisticated attackers. To anyone who knows how to change a number in a URL.

The gateway won't save you. Only your code can.


Follow the journey

Subscribe to Lynk for daily insights on AI strategy, cybersecurity, and building in the age of AI.

Subscribe →