In over 11 years of my experience I have seen so many API’s that have major security flaw. They either lack a proper setup of Authentication or Authorisation or both. The developers might feel okay since these endpoints are usually not public. But it is a huge security loop hole which anyone can easily target.
Read more: https://itnext.io/net-5-how-to-authenticate-authorise-apis-correctly-34b09d132d84