In this article, WE discussed API security and the importance of adopting security measures such as authentication, API keys, access control, and input authentication.
The first step in API design is to document the interface
A RESTful API, as defined by TechTarget, is an application program interface that uses HTTP requests to GET, PUT, POST, and DELETE data. On a technical level, RESTful apis (also known as RESTful Web services) are based on representational State Transition (REST) technology, an architectural style and communication approach commonly used in Web services development.
But with the explosion of RESTful apis, security is becoming one of the most overlooked aspects of API architecture design.
Why is API security important?
There are three core reasons why security should be an important consideration when designing and deploying RESTful apis.
1. Data protection
RESTful apis are a service that transmits value to the outside world. Therefore, protecting data provided RESTful should always be a high priority.
▼ 2. DOS attack
A (DOS) attack can put RESTful apis into a non-functional state if the right security measures are not taken. Given that a lot of the underlying RESTful apis are open to everyone, this kind of open source approach will help it get to market and get more people to use it, but it also means that if someone chooses to do a DOS attack on the API, it can have disastrous results.
3. Business impact
Today, there are more and more service platforms that provide information about everything from airplane and flight schedules to high-speed rail tickets, and even everyday items in supermarkets. They can provide you with price, quantity, time and other information so that you can buy the most desired goods without leaving home. In this general trend, there will be more and more aggregating service platforms that use API data to get more information to you. As a result, information transmitted through RESTful apis is frequently invoked, and personal information is easily compromised.
Measures taken to ensure safety
Here are some key concepts in the generic design of RESTful apis.
1. Session management and authentication
Aside from using TLS/HTTPS, the most important level of security for RESTful apis centers around session management and authentication. In this discussion, the focus will be on API keys, OpenID Connect/OAuth2 / SAML, and session state matters.
▼ 2. API keys
The concept of an API key is to provide a consumer with a unique string (key) as part of their HTTP request. While not a complete security solution, using API keys provides a much clearer picture of who is using the API than using it anonymously.
API keys can also be used to provide additional services. For example, for restful apis, additional services can choose to use different levels. Take the average, high, and top three levels as examples. At the “average” level, users have free access, but only to a limited set of data. If you want to access more groups of data, you have to pay a fee to access the “high” level, and so on, unrestricted access to all data pays a fee to the “highest” level, providing additional services by providing different API keys.
The most common way to use API keys is to include them in the request header.
For example, when calling the header of a widget, 67A73DD1BD1D90210BA’s API is set to the X-api-key KEY/value pair in the HTTP header:
The curl -h “X – API – key: 67 a73dd1bd1d90210ba”
Another common use of an API key is to include the key in the URI:
www.example.com/v1/widgets?… 67a73dde1bdd1d90210ba
The problem with this approach, however, is that the API keys show up in both the browser history and the corresponding server logs, meaning that the unique key is disclosed to everyone who has access to the data.
3.OpenID Connect, OAuth2 and SAML
OpenID Connect, OAuth2, and SAML use the HTTP protocol as transport for security purposes. Authentication provides the authentication of an individual while authorizing the task of performing or revoking access.
From an authentication perspective, there are the following options:
- OpenID Connect: You can leverage an existing identity provider (such as Google or Facebook) to obtain a token to authenticate user authorization.
- OAuth2: Pseudo-authentication can be performed by authorization (described below).
- SAML: Uses assertions, protocols, bindings, and configuration files to manage authentication, including identifying providers, but is less suitable for mobile application authentication.
To provide authorization services, adopt the following policies:
- OAuth2: Provides secure delegate access by allowing third-party identity providers to issue tokens to perform actions on behalf of the user. Because OAuth2 must know the delegated user, authentication is implemented in a pseudo-manner (as described above).
- SAML: Performs assertions on trusted services, including providing authorization tokens.
4. Session status matters
RESTful API endpoints should always maintain a stateless session state, which means that all the content of the session must be stored on the client. Each request from the client must contain all the information necessary for the server to understand the request. To simplify the process, both API tokens and session tokens are required as part of every business.
5. Access control
As mentioned above, authorization of RESTful services can introduce security into the provided endpoints in order to limit who can make HTTP removal requests to the API.
6. Rate limit
As mentioned above, API keys are a useful strategy for determining the level of user identity of a RESTful API. In addition to providing level identification, another benefit of using API keys is the ability to limit the use of the API. Examples of API management solutions such as Tibco Mashery, MuleSoft, and Dell Boomi allow you to limit API requests using API keys. Therefore, attempts to execute a DoS attack (intentional or unintentional) will reach a set threshold, after which all subsequent requests will be rejected.
7. Enter authentication and HTTP return code
Always consider validating input when protecting RESTful apis. For example, if a user tries to publish an address-related JSON data set, the service within the RESTful endpoint should validate the data and use HTTP return code to reflect the correct status. In the simplified Java example below, a very basic AdvSersService is called to verify and save the address:
In the example above, the newAddress object (marshaled from JSON to the Address Java object) is validated using the isValidAddress () method. If the address is not valid, an HTTP 401 (error request) code is returned to the user with the text “Invalid address provided.” If the address is considered valid, convertAddress () performs the necessary operations and then returns a JSON-formatted string containing the address contents to the user, along with an HTTP 201 (create) return code.
conclusion
Securing RESTful apis should always be at the top of your API design list. The risks associated with not protecting sensitive data, allowing FOR DOS attacks, and not considering the impact of using RESTful apis, even if it is only temporary, can easily put an enterprise at a disadvantage.
Authorization and authentication provide the necessary security for RESTful apis, and implementing API key policies can effectively protect RESTful apis at the lowest cost. Validation of input should always be part of the RESTful API, as there is no guarantee that the API will do any necessary validation later, and the result returned to the client should match the default HTTP return code, not just the success (200) or error (404) that the status code displays.
In addition to the security of the API, it is important to keep track of the dynamics of the API. Recently discovered a new tool: EOLINKER, which itself is an API development management service, has been using another of their products for work reasons: API monitoring, the biggest change is to check whether the interface error at any time, error can be checked where the error, compared with the previous efficiency is much higher, API management, monitoring and other interested partners to understand the next oh! www.eolinker.com
Have you ever used RESTful apis? What about RESTful API security? Let me know in the comments below.
Original title: RESTful API Security
By John Vester
Original address:Dzone.com/articles/re…