Rest API security

Good morning everyone, I’m working on the security of the Rest APIs, but I’m confused about the limits between the security of the API and the security of the Backend. I would also like to know if it’s the same thing API and Backend. In most of the documents I consulted, when we talk about the security of an API, we refer to the authorization system (Oauth1, Oauth2). but what about injections, CSRFs, XSS DoS attacks and others? These last do not concern the APIs?