30% of customer-facing APIs are completely unprotected

70% of customer-facing APIs are secured using HTTPS, leaving nearly one-third of these APIs completely unprotected, according to F5.

This is a stark contrast to the 90% of web pages that are now accessed via HTTPS, following the push for secure web communications over the past decade.

“APIs are becoming the backbone of digital transformation efforts, connecting critical services and applications across organizations,” said Lori MacVittie, Distinguished Engineer at F5. “However, as our report indicates, many organizations are not keeping pace with the security requirements needed to protect these valuable assets, especially in the context of emerging AI-driven threats.”

Customer-facing APIs remain vulnerable

The average organization now manages 421 different APIs, with most hosted in public cloud environments. Despite this growth, a significant number of APIs—particularly those that are customer-facing—remain unprotected.

As APIs increasingly connect to AI services like OpenAI, the security model must adapt to cover both inbound and outbound API traffic. Current practices largely focus on inbound traffic, leaving outbound API calls vulnerable.

80% of organizations begin API security in the API design phase. In addition, 59% say they incorporate security at every stage of the API lifecycle. 87% of organizations have adopted or plan to adopt secure development lifecycle (SDLC) practices, which emphasize addressing security at every stage of the cycle.

Some APIs live within a bubble of security services, from mTLS within microservices architectures to access control, DDoS and bot defenses,
and API-specific security measures. As a result, those APIs are fairly well protected, in general. But a small percentage—under 10%—are left completely unprotected. That might not be concerning given the breadth of API use within most organizations. However, an alarming percentage of customer-facing APIs (more than 30%, nearly one-third) are protected by absolutely nothing.

Leaving any APIs unprotected, whether in apps accessed by the public and partners or in operational integrations, is unwise. Organizations embracing zero trust security models need to extend their thinking beyond their apps to also ensure every API request, regardless of its source, is authenticated, authorized, and validated.

Fragmented responsibility for API security

The report reveals a divided responsibility for API security within organizations, with 53% managing it under application security and 31% through API management and integration platforms. This division can lead to gaps in coverage and inconsistent security practices.

Respondents ranked programmability as the most valuable API security capability, underscoring the need for real-time inspection and response to API traffic and threats.

To address these security gaps, the report recommends organizations adopt comprehensive security solutions that can cover the entire API lifecycle, from design through deployment. By integrating API security into both development and operational phases, organizations can better protect their digital assets against a growing array of threats.

“APIs are integral to the AI era, but they must be secured to ensure that AI and digital services can operate safely and effectively,” added MacVittie. “This report is a call to action for organizations to re-evaluate their API security strategies and take the necessary steps to protect their data and services.”