| A1 | BOLA (Broken Object Level Authorization) | Can user A access user B's resources? | Verify object ownership at every endpoint |
| A2 | Broken Authentication | Weak passwords, unlimited login attempts? | bcrypt (cost 12+), rate limit, MFA |
| A3 | Broken Object Property Level Authorization | Are hidden fields exposed in responses? | Response DTOs, field-level filtering |
| A4 | Unrestricted Resource Consumption | Can mass requests crash the server? | Rate limiting, enforce pagination limits |
| A5 | Broken Function Level Authorization | Can regular users call admin APIs? | RBAC middleware, permission checks |
| A6 | SSRF (Server-Side Request Forgery) | Can URL input access internal resources? | URL whitelist, block internal IPs |
| A7 | Security Misconfiguration | Debug mode, default accounts exposed? | Separate prod config, inspect headers |
| A8 | Lack of Automated Threat Protection | Can APIs be called in abnormal sequences? | State machine validation, business rules |
| A9 | Improper Asset Management | Unused APIs, old versions exposed? | API inventory, version deprecation |
| A10 | Unsafe API Consumption | Are external API responses trusted blindly? | Validate external responses, set timeouts |