Guidelines for the Secure Deployment of RESTful Web APIs | Draft SP 800-228A Available for Public Comment

The initial public draft of NIST Special Publication (SP) 800-228A, Guidelines for the Secure Deployment of RESTful Web APIs, is now available for public comment.

A RESTful API platform is a stateless architectural framework that leverages standard HTTP protocols to manage and exchange data as "resources," serving as the primary communication bridge between modern web applications. These Web APIs are the most prevalent API type. Their inherent simplicity, universal browser compatibility, robust ecosystem of developer tools, and superior caching efficiency align with existing web infrastructure, creating scope for introducing vulnerabilities and the accompanying threats of exploitation.

This document:

• Analyzes threats to RESTful APIs across the pre-runtime and runtime phases
• Provides guidelines for implementing a set of controls to mitigate threats
• Complement the detailed set of controls provided in SP 800-228 by including parameters that are specific to the architectural style of RESTful Web APIs

The public comment period is open through July 2, 2026. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included in this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications