API security is one of the most important aspects you need to take care of in almost any application.
Nowadays, APIs are the best way to integrate your application with other applications. They provide a gateway to your application, and thus, the APIs need to be secure enough so that you get no unwanted visitors.
Let’s look at some API vulnerabilities which can be a threat to your application.
Common API vulnerabilities
#1. Cross-site scripting (XSS)
XSS attacks are common in web applications but can also occur through APIs if the incoming user data is not properly sanitized. Attackers can run malicious scripts on the server and get access to sensitive data.
#2. Rate Limiting Violation
The violation of the rate-limiting feature of the API can give attackers the chance to bombard your server with a huge number of requests. Eventually, the server might crash, and your customer base might have difficulty reaching you.
#3. Improper Authentication
If the API is not properly configured using a reliable authentication method, any third party can access your system through the API. Authorization is also important because it defines who can access which API resource until a specified amount of time.
#4. Insecure Data Transmission
The data which is sent to the consumers of your API must be encrypted on the way. If it’s not, then there are chances that the data might get leaked by attackers using a man-in-the-middle attack. That’s why it’s always recommended to use a secure protocol such as HTTPS to transmit data.
#5. Deprecated/Outdated Dependencies
APIs have a lot of external dependencies that are used to carry out complex tasks and to offload some complex logic. If those dependencies have a vulnerability, then indirectly, your API also becomes vulnerable. Always make sure to update the dependency versions.
Now that you know API vulnerabilities, let’s look at some best practices to secure your API.
It is crucial to regularly monitor and update your APIs with updated dependencies, as those dependencies might contain major vulnerabilities. You can notify the API users by releasing a patch version of the API according to the semantic versioning.
Keeping your API up to date is the least you can do to prevent it from being exploited by attackers.
There are a bunch of ways in which you can authenticate an API user. The simplest way is to use the username/password approach, but that’s too basic and just relies on how strong the password is.
Another way is to use API keys to access the API. You can provide each API user with a unique key that they can use.
JWT authentication is a technique in which the user credentials are converted to a digitally signed token and then sent to the user. The user then sends the same token back on each request to the server for the server to validate. JWTs also have an expiration time.
The most effective solution is OAuth. It allows third-party access to API with already existing login credentials. For example, if you are already signed in to Google, an application can use those credentials to sign in to your account without needing a password. Your Google account becomes the password.
Authorization is a different thing than authentication. While you authorize a user, they are already authenticated to use your API, and it’s just that which API resource they can access.
For example, a university professor may have access to all of the students in a batch, but a single student can only access their data. In this case, the student and the professor are authenticated to the same system but are only authorized to do certain actions.
Ensuring the API authorization works well can prevent unauthorized access to a resource.
Data redaction is the process of selectively revealing information to users and protecting sensitive information. Proper authorization can lead to better data redaction. Data privacy regulations such as GDPR are also based on data redaction. Any unwanted third party should be unable to peek into personal or sensitive data.
You can implement data reaction by implementing a middleware or a gateway manager.
This has become the most important security check in today’s world. Encryption is a must if you are dealing with any kind of sensitive information. The least encryption you can do is by using HTTPS protocol, which uses TLS (Transport Layer Security) handshake and SSL (Secure Socket Layer).
End-to-end encryption is another way to tightly secure the data in transit. The data which is stored in the database should also be encrypted in case where an attacker might be able to break into the database and access the data.
Information about the application’s infrastructure can be leaked to attackers via detailed error messages. To avoid that, keep the error messages generic and implement custom error handling. Make sure that no sensitive system information is logged to the error details.
Input Validation and Data Sanitization
Input validation is highly crucial when dealing with APIs because you don’t know the input until the user sends it in.
Improper sanitization can lead to Cross-site scripting (XSS) attacks.
Intrusion Detection Systems
Also known as IDS, Intrusion Detection Systems help in monitoring and detecting network traffic coming to the API. If it finds any unusual behavior in the traffic, it can log and alert the concerned authorities.
Generally, there are two types of systems: network-based and host-based. In network-based systems, the system is distributed among different checkpoints to monitor the traffic at multiple points. In a host-based system, it’s deployed to a single host.
Such systems are a great way to determine who is trying to access your network before they hamper your data.
IP whitelisting is a way to allow only selected IP addresses to access your API and your network. This technique may not work if you have a public API because it is too complex to list every IP.
It is beneficial if you know only some of the applications of systems are going to access your API.
JSON Web Tokens
JWTs are generally used to authenticate a user by sending the user a digitally signed token created from their credentials. It works because it hides the actual credentials of the user, and you also don’t need to store the credentials in the database or on the user side.
The JWT can be divided into three sections: header, payload, and signature. The payload section contains the user credentials, and the header can contain information such as the algorithm used. The signature section is digitally signed by the server and the client on each subsequent request.
JWTs generally have an expiration date, after which a new token is generated by the server and then sent to the user.
Logging and Monitoring
Monitoring the traffic to your API can be beneficial to detect and identify unwanted visitors beforehand. You can monitor each and every request, but make sure that the logs don’t contain any sensitive information.
If an API doesn’t implement rate limiting, it is vulnerable to DDoS attacks because of the unexpected influx of network traffic. Attackers can flood the system with a huge number of requests in a small amount of time, eventually crashing the server.
Throttling and rate-limiting APIs avoid denial-of-service attacks by restricting the flow of API traffic.
Vulnerabilities don’t only emerge from your API code, they can also be a part of any third-party dependencies that you might be using in your API. That’s why it’s important to regularly monitor and scan your dependencies and detect any vulnerabilities that might be present in them.
You can implement a scheduled job to regularly scan and update dependencies if they can be updated with a patch version fixing the vulnerability. Also, choose dependencies that are more secure and provide frequent security updates.
Security headers should be returned with the API response to instruct the browser about the API security and how it should act. Important headers you can send to improve security are:
Cache-Control: Set it to no-store to avoid storing sensitive information in the browser.
Content-Security-Policy: Setting it to frame-ancestors 'none' avoids framing API responses in an iframe.
Content-Type: This header is important because without it, the browser tries to guess the type of the API response, and it can lead to sniffing attacks. For JSON response, you can set it to application/json.
X-Content-Type-Options: Set it to nosniff to instruct the browser not to guess the MIME type of the response and to look for it in the Content-Type header only.
Security Standards and Frameworks
Design your API with the help of pre-defined security standards and frameworks to ensure your API is up to date with the latest security considerations.
If you are using bearer tokens, the token expiry time should be short-lived because it requires re-authentication of the user, which is a good thing. In JWT, there are usually two tokens: access and refresh tokens. Refresh tokens are long-lived, while access tokens are short-lived. In any case, your tokens should have an expiry time.
Web Application Firewall
A WAF, a.k.a Web Application Firewall, is a gateway that monitors, filters, and blocks any malicious network traffic. It is often the best way to prevent malicious attacks through HTTP protocol.
Using API Gateways
If you want to easily set up API security and manage API routes and their access, you can go for API gateways. They also provide monitoring, logging, and analytics tools, which you can use to monitor your API.
The idea behind the zero-trust strategy is not to trust any centralized source. The security should be layered and implemented at multiple checkpoints.
Basically, no one can be trusted, even the developers working on the API. Each and every gateway should be monitored and analyzed to prevent security breaches.
Automation comes in handy in such cases. You can use automated tools to regularly monitor and block unusual or suspicious activity.
You can only do so much to keep your APIs secure. There are always some loopholes in software that can be exploited. Such loopholes result in zero-day vulnerabilities. So, to secure your APIs, the least you can do is keep them updated with the latest security standards.
Google Docs does a great job of keeping things simple. The default page setup works great for most documents, and common formatting options are right on the toolbar. However, when you need to do some advanced formatting, you’ll need to dig a little deeper.