If I wanted to build a secure API,

I'd consider these 12 practices:

1 Encrypt all traffic with TLS

2 Use OAuth2/OIDC or API keys.

3 Enforce RBAC/ABAC.

4 Block abuse with rate limits.

5 Sanitize input to stop injections.

6 Log key metadata.

7 Run fuzz tests and stress tests.

8 Update libraries often.

9 Rotate and revoke tokens.

10 Add HSTS, CSP.

11 Centralize auth and rate limits.

12 Mask or redact sensitive fields.

What else should make this list?