DEV Community

Ashok Sharma
Ashok Sharma

Posted on

10 no-brainer best practices that boost API security

Image description Source: DepositPhotos

APIs are becoming crucial to modern app development. Therefore making sure that the data you pass between your APIs is secure and not compromised is a priority.

Unfortunately, APIs face a number of threats such as SQL injection, Cross-site scripting (XSS), Distributed denial-of-service (DDoS), Man-in-the-middle (MitM), and Credential stuffing.

The best way to avoid these attacks and improve your API security is to follow some simple best practices.
So I compiled these no-brainer best practices and made this guide:

  • Prioritize security
  • Encrypt your data
  • Share as little as possible
  • Authentication
  • Limit the number of messages
  • Data validation
  • API firewalling
  • API gateway (API management)
  • Monitoring: Audit, log, and version
  • Infrastructure

1. Prioritize security
Always give priority to security checks.

This is the biggest mistake most companies make. Scan your code regularly to check for security vulnerabilities and do it from the very beginning of development.

Do not procrastinate. Call in the experts or use ICAP (Internet Content Adaptation Protocol) servers to help you with security.

2. Encrypt your data
Most companies do not encrypt their data sent via APIs as they consider this as additional work. Their excuses are that they are not handling sensitive data or that they use the APIs internally.

However, this is a mistake.

Regardless of those excuses, you should always encrypt your payload data. If you are not handling sensitive information such as credit card numbers routinely, it is better for all the parties involved in the transaction to encrypt their data.

It would also make it harder for a hacker to extract information from your internal APIs during an attack. Therefore, it is always best to encrypt your data using the latest versions of either one-way TLS or two-way TLS encryption.

3. Share as little as possible
Always share the bare minimum of data that is required to perform a task.

This applies to what is shared in the payload as well as in error/success messages. Always use predefined messages. Do not display sensitive data in your messages.

Avoid storing customers' user credentials in JSON Web Tokens (JWTS) or cookies as it is easy to decode them. Instead, adopt user roles and privileges to make sure unauthorized users cannot access information.

In addition, you can restrict access to your resources by using IP-safe listing and delisting.

Another crucial thing to remember is to remove all the keys and passwords that the developer used during development before deployment.

Again, scanning the code might help prevent such accidental exposure.

4. Authentication
Always use an authentication mechanism to identify who is requesting information and whom you send the information to. For example, use a basic authentication method such as username/password pair or an asymmetric API key to identify users.

Another way to handle this is to use a trusted third party like Google to manage authorization. These authorization tools provide users with a token to access the API without using their credentials.

In addition, they use the OAuth protocol to convey authorizations. You can also use OpenID Connect to ensure authentication. This is known as OAuth 2.0 with ID tokens.

5. Limit the number of messages
Limit the number of messages or requests consumed by your API for a given period of time.

This will reduce the stress your API can put on your application's backend, prevent it from exceeding your server's capacity, and initiate Distributed Denial of Service (DDoS) Attacks.

You can extend this further by restricting access by API or by the user.

6. Data validation
Always validate your data. Especially user inputs. Check whether they have the correct data type (string, integer, etc.) and do not have any unnecessary special characters such as single or double quotes.

You can do this by sanitizing your input before sending it to the API. You can also apply the validation and provide appropriate error messages to the user using the user interface to prevent users from submitting such data.

You can use JSON or XML schema validation to do this, and it will help prevent SQL injections or XML bombs.

7. API firewalling
Another way to keep your attackers at bay is by introducing a firewall. For proper protection, you need to implement this in two layers:

  • First layer - This is in the DMZ or demilitarized zone, the logical subnet that separates a local area network (LAN) from external networks. Their main task is to validate the inputs, check message sizes, and prevent SQL injections or other threats in the HTTP layer. If the message is clean and secure, the first layer will forward it to the second layer.

  • Second layer - Applies advanced security mechanisms on data content, and it is in the Local Area Network (LAN).

8. API gateway (API management)
It does not matter how many APIs you are using.

However, it is always better to invest in an API Management Solution to manage them, whether it is one or more.

Even though all your APIs do not have the same technology, an API Management dashboard will help you secure, control, and monitor your traffic.

It will also save you time and money, which you can use for another cause.

9. Monitoring: Audit, log, and version
You should always maintain logs of your APIs as they can provide valuable information for troubleshooting errors and help you identify vulnerabilities.

In addition, you can further analyze these logs to optimize your payloads and find users or APIs that make far too many calls and could cause a DDOS attack.

Also, remember to keep logs for all the versions of your APIs.

10. Infrastructure
Making sure your API is meeting its security standard is not enough. You need to make sure your infrastructure is secure as well.

Run routine checks on your servers and load balancers and see whether the operating system and other software installed are up to date.

In addition to that, make sure that all the security patches are up to date as well.

As mentioned at the beginning, maintaining good API security is now an essential factor as there are many waiting to take advantage of your vulnerabilities.
However, if you are not sure where to start, follow these best practices from the top. They will help you secure data and win your customers' trust.

Discussion (0)