Endpoints without authentication (missing authorizer) - API key in headers (easily leaked in logs and browser history) - Missing request validation (body, query string, headers) - Overly permissive CORS configuration - Missing rate limiting/throttling - Stage variables containing secrets - WAF rules