APIs can also suffer from security misconfigurations if they do not use proper HTTP Security Response Headers. For example, suppose an API does not set a secure Access-Control-Allow-Origin as part of its CORS (Cross-Origin Resource Sharing) policy. In that case, it can be exposed to security risks, most notably, Cross-Site Request Forgery (CSRF).
Another example, lack of input validation creating SQLi.
