After testing hundreds of APIs, the biggest issues are still HTTP basics
After years of testing APIs across fintech, gov, and internal platforms, I keep seeing the same pattern: Most API bugs are not complex. They’re boring HTTP basics that teams quietly forget.
A few examples I see again and again:
Missing auth returns 403 instead of 401 — so clients debug permissions instead of authentication
Unsupported HTTP methods return 200 — so people debug payloads instead of the method
Non-existent endpoints return 200 — so monitoring shows “everything is fine” while users rage
Invalid payloads get echoed back in error messages — opening doors nobody intended
Private APIs allow broad CORS origins — because “it worked in the browser”
None of these are hard.
None require AI.
None require rewriting the system.
They’re just things nobody notices until production hurts.
Curious: What’s the most “obvious in hindsight” API issue you’ve seen recently?
Replies
Most teams test features. Almost nobody tests HTTP behavior. That’s why these bugs keep shipping. I’ve been collecting these checks into a small local tool: https://github.com/LiudasJan/Rentgen
No AI. No cloud. No accounts. No telemetry.