Skip to content

Api test heuristics

Heuristics for API testing focus on ensuring the functionality, reliability, and security of APIs. These heuristics help testers identify potential issues and improve the overall quality of the API.

Input Validation

  • Boundary Values: Test API endpoints with boundary values (e.g., min/max allowed, just above/below limits) to uncover off-by-one errors and ensure proper validation.

  • Invalid Entries: Send invalid data types, malformed requests, or unexpected values to verify error handling and response codes.

  • NULL Values: Pass NULL or missing fields to check how absence of data is handled and whether defaults or errors are returned.

  • Empty Values: Submit empty strings, arrays, or objects to validate how the API processes empty input and whether meaningful errors or defaults are returned.

  • Negative Values: Provide negative numbers or logically invalid values (e.g., negative age, quantity) to test validation and error handling.

  • Parameters: Test with required, optional, and edge-case parameters. Omit, duplicate, or reorder parameters to check robustness and validation.

  • Data: Test with various data types, sizes, encodings, and edge cases. Validate data integrity, handling of large payloads, and support for special characters or formats.

API Methods

  • Method Testing: Use all supported HTTP methods (GET, POST, PUT, DELETE, PATCH, etc.) and try unsupported methods to ensure correct behavior and error responses.

Output and Error Handling

  • Output: Validate the format, structure, and content of API responses. Ensure outputs match documentation and handle unexpected or malformed outputs gracefully.

  • Errors: Trigger error conditions to verify clear, consistent, and actionable error messages and codes for all error scenarios.

  • Status Codes: Check that the API returns appropriate HTTP status codes for success, client errors, and server errors. Ensure that status codes align with the API documentation and expected behavior.

Security and Authorization

  • Security: Assess authentication, authorization, encryption, and data privacy. Test for vulnerabilities such as injection, improper access, and insecure data transmission.

  • Missing Authorization/Authentication in Calls: Validate that APIs enforce proper authentication and authorization, restricting access to protected resources and actions.

Integration and Interoperability

  • Interop: Check how the API interacts with other systems, services, or components. Test integration points, data exchange, and compatibility with external tools.

  • Versioning: Test API versioning strategies to ensure backward compatibility and proper handling of deprecated features.

Performance and Reliability

  • Responsiveness: Measure API response times and performance under various loads to ensure reliability and scalability.

  • Rate Limiting: Test rate limiting and throttling mechanisms to ensure fair usage and prevent abuse.

Useful Resources

  • Tomes, S. (2022, March 31). Test heuristics cheat sheet. Ministry of Testing. https://www.ministryoftesting.com/articles/test-heuristics-cheat-sheet
Back to top