API Security Checklist: 15 Pre-Production Checks

You're about to push to production. The feature works. Tests pass. Everything looks good. But have you checked the security basics? Here's a quick checklist. Run through it before every deployment that touches API integrations. Most items take seconds to verify but can prevent serious problems. Credentials 1. API keys are in environment variables, not code Check your codebase for hardcoded strings that look like API keys. They should come from environment variables or a secret manager. # Quick search for common patterns grep -r "x-api-key.*[a-zA-Z0-9]{20}" --include = "*.js" --include = "*.ts" grep -r "apiKey.*=.*[' \" ][a-zA-Z0-9]" --include = "*.py" If you find any, move them to environment variables immediately. Hardcoded keys end up in git history forever. Status: [ ] Verified 2. Keys are not logged Check your logging code. Are you logging request headers? Response bodies? Entire request objects? Any of these might include API keys, tokens, or sensitive data. Logs get stored, backe