These are some security best practices that I have gathered for my myself.

• Don’t use basic authentication unless over a secure connection (HTTPS). Authentication tokens must not be transmitted in the URL
• Tokens must be transmitted using the Authorization header on every request: Authorization:
• Make token expiration (TTL, RTTL) as short as possible
• Reject any non-TLS requests by not responding to any HTTP request to avoid any insecure data exchange.
• Consider Rate Limiting.
• Setting HTTP headers appropriately
• Your API should convert the received data to their canonical form or reject them
• All the data exchanged with the REST API must be validated by the API
• Serialize your JSON.
• Validate the content-type
• Use standard authentication (e.g. JWT, OAuth).
• Use Max Retry and jail features in Login
• Use a random complicated key (JWT Secret) to make brute-forcing the token very hard.
• Validate redirect_uri server-side to allow only whitelisted URLs.
• Use state parameter with a random hash to prevent CSRF
• Use a CDN for file uploads.
• If you are dealing with huge amount of data, use Workers and Queues to process as much as possible in background and return response fast to avoid HTTP Blocking.
• Do not forget to turn the DEBUG mode OFF.