Let's say we want to secure our Todo REST API. The first questions to ask would be the following:
- Who would be the users of our API?
- How do we identify a user?
- Where can we store the user's details?
- What are the different kinds of users?
- What actions can each type of user perform?