Secure Bun APIs

🔐 Introduction to Secure Bun APIs

Building APIs with Bun is fast and efficient — but speed means nothing without security. Whether you're exposing endpoints for internal tools or public-facing services, securing your Bun APIs is essential to prevent unauthorized access, data leaks, and abuse.

This tutorial walks you through essential security practices to make your Bun-powered APIs safe and robust.

🛡️ Enable CORS Safely

Cross-Origin Resource Sharing (CORS) determines which domains can access your APIs. A misconfigured CORS policy can open doors for malicious sites.

Bun allows manual header control:

const headers = {
  "Access-Control-Allow-Origin": "https://yourdomain.com",
  "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE",
  "Access-Control-Allow-Headers": "Content-Type, Authorization",
};

Apply these headers in your response to ensure only trusted sources can consume your API.

🔑 Use JWT for Authentication

JSON Web Tokens (JWT) are a standard for securely transmitting data between parties.

In Bun, you can use JWT to authorize requests:

import { sign, verify } from "jsonwebtoken";

// Signing a token
const token = sign({ userId: 1 }, "your-secret", { expiresIn: "1h" });

// Verifying a token
const decoded = verify(token, "your-secret");

For every protected route, verify the incoming token from the Authorization header:

const authMiddleware = (req) => {
  const authHeader = req.headers.get("Authorization");
  if (!authHeader) return new Response("Unauthorized", { status: 401 });

  const token = authHeader.replace("Bearer ", "");
  try {
    const payload = verify(token, "your-secret");
    return payload;
  } catch {
    return new Response("Invalid Token", { status: 403 });
  }
};

📫 Avoid Leaky Routes & Methods

Don’t expose unnecessary endpoints. Validate and whitelist only the HTTP methods that are required:

if (req.method !== "POST") {
  return new Response("Method Not Allowed", { status: 405 });
}

Also, never return detailed error traces in production. Keep error messages generic to avoid giving attackers hints.

🕵️‍♂️ Protect Sensitive Data

If your API handles passwords or personal information, always hash sensitive values using a strong hashing algorithm before storing:

import bcrypt from "bcrypt";

const hashedPassword = await bcrypt.hash("user_password", 12);
const isMatch = await bcrypt.compare("input_password", hashedPassword);

Avoid returning raw user data. Filter out fields like password, tokens, or internal IDs before sending responses.

📉 Rate Limiting & Abuse Protection

To stop abuse like brute force or DDoS, implement basic rate-limiting logic:

// Simple in-memory rate limiter
const rateLimitMap = new Map();

function isRateLimited(ip) {
  const now = Date.now();
  const limit = rateLimitMap.get(ip) || [];

  // Remove old timestamps
  const recent = limit.filter(ts => now - ts < 60000); // 1 minute
  if (recent.length >= 10) return true; // 10 requests/minute

  recent.push(now);
  rateLimitMap.set(ip, recent);
  return false;
}

Call this before processing any request and return a 429 Too Many Requests response if the IP exceeds the limit.

🧯 Use HTTPS Always

Never expose your Bun API over plain HTTP. Use HTTPS either directly (with self-signed certs for internal services) or through a reverse proxy like Nginx or a cloud load balancer.

This ensures all data between client and server remains encrypted.

🔐 Add API Keys for Extra Control

If your Bun API is being accessed by other services, you can add API key validation for simple access control:

const isAuthorized = (req) => {
  const key = req.headers.get("x-api-key");
  return key === Deno.env.get("MY_API_KEY");
};

Make sure to store keys securely (e.g., GitHub secrets, Bun.env) and never hardcode them in your codebase.

📊 Logging & Monitoring

Implement structured logging to track request patterns, suspicious behavior, and failed attempts. This will help you identify threats and unusual activity:

console.log(JSON.stringify({
  ip: req.headers.get("x-forwarded-for"),
  route: req.url,
  status: res.status,
  timestamp: new Date().toISOString(),
}));

🔚 Conclusion

Securing your APIs isn't a one-time task — it’s an ongoing commitment. With Bun's simplicity and performance, adding security doesn't mean sacrificing speed.

By combining JWT authentication, CORS control, rate-limiting, HTTPS, and secure data handling, you can confidently build and expose powerful APIs without leaving vulnerabilities behind.

Keep it fast. Keep it safe. Secure your Bun APIs from day one! 🔒

---