After testing hundreds of APIs, the biggest issues are still HTTP basics

After years of testing APIs across fintech, gov, and internal platforms, I keep seeing the same pattern: Most API bugs are not complex. They’re boring HTTP basics that teams quietly forget.

A few examples I see again and again:

• Missing auth returns 403 instead of 401 — so clients debug permissions instead of authentication

• Unsupported HTTP methods return 200 — so people debug payloads instead of the method

• Non-existent endpoints return 200 — so monitoring shows “everything is fine” while users rage

• Invalid payloads get echoed back in error messages — opening doors nobody intended

• Private APIs allow broad CORS origins — because “it worked in the browser”

None of these are hard.

None require AI.

None require rewriting the system.

They’re just things nobody notices until production hurts.

Curious: What’s the most “obvious in hindsight” API issue you’ve seen recently?