What are the best practices for securing a REST API in 2026?

For securing a REST API in 2026, here is a comprehensive approach:

Authentication & Authorization: Use OAuth 2.0 with PKCE flow for public clients. For service-to-service, use client credentials with mutual TLS. JWTs should have short expiration times (15 minutes) with refresh token rotation.

Rate Limiting: Implement tiered rate limiting using a library like express-rate-limit backed by Redis. Apply different limits per endpoint based on sensitivity.

Input Validation: Use Zod or Joi for strict schema validation on every endpoint. Never trust client input. Sanitize all outputs to prevent XSS.

On AWS, leverage API Gateway with WAF rules, and use AWS Secrets Manager for credential management.

Adding to the above answer, do not forget about these often-overlooked security measures:

CORS Configuration: Be very strict with your CORS policy. Only whitelist the exact origins that need access.

Security Headers: Use helmet.js middleware to set proper security headers including Content-Security-Policy, X-Content-Type-Options, and Strict-Transport-Security.

Logging & Monitoring: Implement structured logging with request correlation IDs. Set up alerts for unusual patterns like repeated 401/403 responses or sudden traffic spikes. AWS CloudWatch with custom metrics works well for this.

I am building a REST API for a financial application and need to ensure it meets current security standards. We are using Node.js with Express on the backend.

So far I have implemented JWT authentication, but I want to know what other layers of security I should add. Should I use OAuth 2.0 with PKCE? What about rate limiting and input validation?

Any recommendations for libraries or middleware that handle API security well would be appreciated. We are deploying on AWS if that matters.