Add API Security Cheat Sheet - Unified Guidance for All API Types

[ZMelliti]

Summary

This PR introduces a new API Security Cheat Sheet that provides comprehensive guidance for securing APIs across all technologies. The cheat sheet covers:

• Complete OWASP API Security Top 10 2023 vulnerabilities with prevention strategies
• Technology-agnostic security controls applicable to REST, GraphQL, gRPC, WebSocket, and SOAP APIs
• Modern API patterns including API gateways, microservices, and zero trust architecture
• Practical code examples in Java and JavaScript for common security implementations
• Core security controls for authentication, authorization, input validation, and transport security
• Testing, monitoring, and compliance guidance for API security programs

Checklist

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as [TEXT](URL)
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

Verification Details

• New Cheat Sheet: Created using the official template structure with Introduction, main sections, and References
• Link Validation: All internal references use proper [TEXT](CheatSheet.md) format and external links use [TEXT](URL) format
• Format Compliance: Follows markdown formatting rules with proper headers, code blocks, and structure
• No Assets: Text-based content with code examples only, no images or external assets required
• Effectiveness: All security practices validated against OWASP API Security Top 10 2023, RFC standards, and industry best practices
• Cross-References: Properly integrates with existing OWASP cheat sheets without duplication

This PR fixes #1865

AI Tool Usage Disclosure (required for all PRs)

Please select one of the following options:

• I have NOT used any AI tool to generate the contents of this PR.
• I have used AI tools to generate the contents of this PR. I have verified
  the contents and I affirm the results. The LLM used is [llm name and version]
  and the prompt used is [your prompt here]. [Feel free to add more details if needed]

Thank you 😃

[mackowski]

I do not like structure of this cheatsheet, 50% is just API top 10 (we do not need to duplicate content from different OWASP project) and there is a lot of duplication from other cheatsheets.

[jmanico]

I do not like structure of this cheatsheet, 50% is just API top 10 (we do not need to duplicate content from different OWASP project) and there is a lot of duplication from other cheatsheets.

I hear you Mac. The goal here was to not duplicate content. #1865

[ZMelliti]

Thanks @mackowski and @jmanico for the feedback. The goal isn’t to duplicate content from the API Top 10 or other cheat sheets — rather, to complement them with practical, implementation-focused guidance. I’ll revise the structure to make that clearer and remove any overlapping sections.

[ZMelliti]

@mackowski, @jmanico I've restructured the cheat sheet to eliminate content duplication by adding an explicit scope section that separates enterprise patterns from existing OWASP sheets (Authentication/Authorization/API Top 10) and added new sections for API versioning security and performance considerations with concrete metrics. The sheet now serves as a complementary enterprise reference focused on multi-tenant isolation, federation, and gateway patterns without duplicating existing OWASP resources.