What are the security hardening measures for REST APIs — injection, mass assignment, BOLA/IDOR?

REST APIs face several critical security vulnerabilities. Injection: always use parameterized queries or ORMs — never concatenate user input into SQL, NoSQL queries, or shell commands. Validate and sanitize all inputs. Use an allowlist of accepted values rather than a denylist. Mass assignment (insecure direct object assignment): never bind request bodies directly to database models without filtering allowed fields. Explicitly whitelist which fields a client can set — prevent clients from setting isAdmin: true or balance: 1000000 in a user update. BOLA (Broken Object Level Authorization), also called IDOR (Insecure Direct Object Reference): verify that the authenticated user is authorized to access the specific resource they are requesting. GET /invoices/42 must check that invoice 42 belongs to the current user, not just that the user is authenticated. BOLA is the #1 API vulnerability in the OWASP API Security Top 10. Additional hardening: enforce HTTPS everywhere, validate Content-Type to prevent MIME confusion, implement rate limiting per user and per IP, use security headers (Strict-Transport-Security, X-Content-Type-Options), rotate API keys regularly, and log all access with correlation IDs for audit trails.