With the increasing demand for data-centric projects, companies have quickly opened their data to their ecosystem, through SOAP or REST APIs. APIs are the doors too closely guarded data of a company, creating the following challenge: how can we keep the doors open for the ecosystem and sealed off from hackers at the same time?
API security best practices: 12 simple tips to secure your APIs.
1. Encryption
Be cryptic. Nothing should be in the clear, for internal or external communications.
You and your partners should cipher all exchanges with TLS (the successor to SSL), whether it is one-way encryption (standard one-way TLS) or even better, mutual encryption (two-way TLS).
Use the latest TLS versions to block the usage of the weakest cipher suites.
2. Authentication
Don’t talk to strangers. You should always know who is calling your APIs, at least through an API key (asymmetric key) or basic access authentication (user/password), to increase the difficulty to hack your system.
3. OAuth & OpenID Connect
Delegate all Responsibility. A good manager delegates responsibility and so does a great API. You should be delegating authorization and/or authentication of your APIs.
What is OAuth? It is a magical mechanism preventing you from having to remember ten thousand passwords. Instead of creating an account on every website, you can connect through another provider’s credentials, for example, Facebook or Google. For APIs, it works the same way: the API provider relies on a third-party server to manage authorizations. The consumer doesn’t give their credentials but instead gives a token provided by the third-party server. It protects the consumer as they don’t disclose their credentials, and the API provider doesn’t need to care about protecting authorization data, as it only receives tokens.
OAuth is a commonly used delegation protocol to convey authorizations. To secure your APIs even further and add authentication, you can add an identity layer on top of it: this is the Open Id Connect standard, extending OAuth 2.0 with ID tokens.
4. Call Security Experts
You should use experienced Antivirus systems or ICAP (Internet Content Adaptation Protocol) servers to help you with security.
5. Monitoring: Audit, Log and Version
Be a stalker. You need to be ready to troubleshoot in case of error: to audit and log relevant information on the server – and keep that history as long as it is reasonable in terms of capacity for your production servers. You should turn your logs into resources for debugging in case of any incidents. Also, monitoring dashboards are highly recommended tools to track your API consumption.
Do not forget to add the version on all APIs, preferably in the path of the API, to offer several APIs of different versions working at the same time, and to be able to retire and depreciate one version over the other.
6. Share as Little as Possible
Be paranoid. Display as little information as possible in your answers, especially in error messages. Lockdown email subjects and content to predefined messages that can’t be customized. Because IP addresses can give locations, keep them for yourself. Use IP Whitelist and IP Blacklist, if possible, to restrict access to your resources. Limit the number of administrators, separate access into different roles, and hide sensitive information in all your interfaces.
7. System Protection with Throttling and Quotas
Throttle yourself. You should restrict access to your system to a limited number of messages per second, to protect your backend system bandwidth according to your servers’ capacity.
You should also restrict access by API and by the user (or application) to be sure that no one will abuse the system or anyone API in particular.
Throttling limits and quotas – when well set – are crucial to prevent attacks coming from different sources flooding your system with multiple requests (DDOS – Distributed Denial of Service Attack).
8. Data Validation
Be picky and refuse surprise gifts, especially if they are big. You should check everything your server accepts. Be careful to refuse any added content, data that is too big, and always check the content that consumers are sending you. Use JSON or XML schema validation and check that your parameters are what they should be (string, integer…) to prevent any SQL injection or XML bomb.
9. Infrastructure
Network and be up to date. A good API should lean on a good security network, infrastructure and up-to-date software (for servers, load balancers) to be solid and always benefit from the latest security fixes.
10. OWASP top 10
Avoid wasps. The OWASP (Open Web Application Security Project) top 10 is a list of the 10 worst vulnerabilities, ranked according to their exploitability and impact. In addition to the above points, to review your system, make sure you have secured all the OWASP vulnerabilities.
11. API Firewalling
Build a wall. For some people, building a wall can solve all the immigration problems. This is the case, for APIs at least! Your API security should be organized into two layers:
-
- The first layer is in DMZ, with an API firewall to execute basic security mechanisms like checking the message size, SQL injections and any security based on the HTTP layer, blocking intruders early. Then forward the message to the second layer.
- The second layer is in LAN with advanced security mechanisms on the content of data.
12. API Gateway (API Management)
Gateway to heaven. All the above mechanisms are long to implement and maintain. Instead of reinventing the wheel, you should opt for a mature and performant API Management solution with all these options to save your money, time and resources, and increase your time to market. An API Gateway will help you secure, control and monitor your traffic. In addition to helping you secure your APIs easily, an API Management solution will help you make sense of your API data, to take technical and business decisions: the key to success!
Now you know more about the basic mechanisms to protect your APIs! Have fun securing your APIs, hopefully with a great API Management solution.