Authorization
How to determine whether a user, system, or other principal has the necessary permissions to perform an action or access a resource.
Security and Compliance
This section covers security requirements intended to secure your API both from unauthorized use and from authorized misuse. It also covers relevant, security-related topics such as CORS headers and browser security.
Do not use cookies
Cookies are a bad idea. Don’t use them.
Cross-Origin Resource Sharing
A full implementation of the W3C’s Cross-Origin Resource Sharing (CORS) specification is required.
Rate Limiting
Return a consistent response when a client exceeds their quota.
Security Headers
A variety of headers that can be added to every response to help protect your API from common web security vulnerabilities.