You are a hardworking developer and you create an exceptional application, spending millions of hours and hours designing the framework so that it can be easily used by other developers and clients. Your API is successfully interacting between your microservices, and then fear sets in and you’re confronted with your colleagues and superiors.
REST API service
Public API
A public API allows resources to be made public on the Internet prices or product are resources available on your site for non-authenticated users. Even though the resource is public, I strongly recommend using an API key to limit the possibility of abuse.
Private API
An private API is intended only for use within a company, to connect systems and data within an enterprise. The internal API can provide information about users on the platform and this data must be accessible only to the owners.
AAA secure REST API basics
Authentication
Authentication is used to determine who called the Rest api endpoint.
Authorization
Authorization occurs after the user authenticates; authorization deals with which resources the caller can use.
Since each HTTP call is handled independently, each time your application receives a call, you will need to decide whether the caller is allowed to use that particular resource.
Responsibility
Accountability is about who did what, when and with what resources.
Common ways to strengthen REST API security
Least privileges
A subject should have only the required set of privileges to perform the actions it is authorized to do, and no more.
Use encryption
Use a signature. Passwords must always be hashed to protect your organization. Using signatures helps ensure that your data is decrypted and modified by authorized users and no one else.
Keep it simple
Try to keep your API as simple as possible to avoid misunderstandings and ensure good security implementation
Verification of input parameters
Validate the request parameters at the very first step before it reaches the application logic. In the API response, send appropriate error messages and examples of the correct input format to improve the user experience.
Identify vulnerabilities
Keep up with your operating system, network, drivers and API components. Find out how everything works together and identify weak points that could be used to break your APIs.
Use quotas and rate caps
Multiple calls to the API may indicate that it is being abused. It could also be a programming error, such as an API call in an infinite loop. Create throttling rules to protect your APIs from spikes and Denial-of-Service attacks.
Use API gateway
API Gateways act as the main enforcement point for API traffic. A good gateway will allow you to authenticate traffic as well as manage and analyze how your APIs are being used. Integrate a web application firewall to detect malicious content.
Conclusion
It is important to understand that APIs are a new battlefield, bringing new exploits that are being thought of every day.
Discussion about this post