NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Guidelines for API Protection for Cloud-Native Systems

Published

Author(s)

Ramaswamy Chandramouli, Zack Butcher

Abstract

Modern enterprise IT systems rely on a family of application programming interfaces (APIs) for integration to support organizational business processes. Hence, a secure deployment of APIs is critical for overall enterprise security. This, in turn, requires the identification of risk factors or vulnerabilities in various phases of the API life cycle and the development of controls or protection measures. This document addresses the following aspects of achieving that goal: (a) the identification and analysis of risk factors or vulnerabilities during various activities of API development and runtime, (b) recommended basic and advanced controls and protection measures during the pre-runtime and runtime stages of APIs, and (c) an analysis of the advantages and disadvantages of various implementation options for those controls to enable security practitioners to adopt an incremental, risk-based approach to securing their APIs.
Citation
Special Publication (NIST SP) - 800-228
Report Number
800-228
NIST Pub Series
Special Publication (NIST SP)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.SP.800-228
Local Download

Keywords

API, API endpoint, API gateway, API key, API schema, web application firewall
Information technology

Citation

Chandramouli, R. and Butcher, Z. (2025), Guidelines for API Protection for Cloud-Native Systems, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-228, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=960213 (Accessed October 20, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created June 27, 2025, Updated July 1, 2025
Was this page helpful?