[Semionilo]

Use some software input fuzzer against it like SQL fuzzer etc.

Never trust your frontend data ever!

Always assume the attacker can talk to your API.

Don't do auth or login yourself. Use known libs, workflows asks.

Have unit tests to verify your endpoints need auth (valid user not just a anonymous user)