DEV Community

Cover image for Quick tips for securing your API
Rey Riel
Rey Riel

Posted on • Edited on • Originally published at citadelid.com

Quick tips for securing your API

Here at Citadel we deal with payroll data. Important data. Private data. When dealing with private data your users need to know that you’re keeping their data safe for as long as you have it in your control. The fact that data is encrypted when it’s stored means you’re keeping data safe at rest, but what about in transmission? When you give users access to their data how do you ensure it stays protected? Here’s some quick tips that we employ here at Citadel with our APIs that we think you can use as well.

Use SSL/TLS‍

It’s a pretty straightforward concept that is now an industry standard anybody can implement. Make sure your API uses an SSL/TLS connection when sending and receiving data. What is SSL/TLS? SSL stands for Secure Socket Layers and TLS stands for Transport Layer Security. They’re basically the same thing while also being different, but in essence they are a protocol that encrypts and authenticates data transfer between two systems.

By using SSL/TLS you will keep the data between your API and the system sending/receiving data secured with end to end encryption. In the past it was slowly gaining traction in the industry, mostly due to implementation and cost, but with services like Let’s Encrypt now offering free SSL certificates there’s really no reason to not have SSL implemented with your API.

Here at Citadel we ensure all data across all our applications and APIs are encrypted with SSL/TLS v1.2+ and redirect or decline any non-encrypted traffic to the correct location. To us encryption is a fundamental in all web applications, particularly ones dealing with sensitive data like payroll information.

Properly Implement CORS.

‍CORS stands for Cross-Origin Resource Sharing and it’s an important part of security when managing an API. To put into simple terms, when a webpage makes a request to an API the users browser will first send what’s called a “preflight” request, telling the API server what headers it will be sending (including what domain the request is coming from) and what HTTP method it will use. The API server will then respond with what methods it accepts and where it accepts them from. If the domain making the request isn’t in the list the browser will refuse to send the request at that point.

So why bother with CORS? A lot of times engineers simply set the CORS policy to accept anything (just passing an asterisk), which is usually a result of laziness, lack of knowledge or simply wanting to get off the ground quickly and forgetting. The problem is this can be dangerous because it can allow malicious developers to start making requests from their own web applications without your API’s permission and opens the possibility for anybody anywhere to access your data. By properly implementing a CORS policy you can restrict browser API calls to only your web application. If you want to allow clients to use your API in their application, implement a feature in which your users must list the domain their application uses and allow access only to those approved. This ensures your API data is being accessed browser-side by only the applications your API is aware of.

Implement Authentication and Authorization

‍When handling payroll data here at Citadel it’s important to us to ensure whoever is accessing any of our API endpoints is authorized to do so. No API endpoint can be accessed without the proper identifiers and authentication keys. This ensures that not only do we know that whoever is accessing our endpoints are allowed to do so, it allows us to keep track of who is accessing those endpoints. In the case of a security breach, we can simply deauthorize keys and track down who and how the keys were compromised.

So what about if you have a public facing web application that needs to make calls to your API and doesn’t have a login? This is one of the primary use cases at Citadel, and even then we’re covered. Clients who implement our Bridge into their front end application still need to make a back end call to obtain a token for the session their front end is using. This ensures we know any subsequent calls from that session are coming from a permitted application.

So if you’re looking to allow users to access your API’s on the backend, make sure you have some sort of authentication in place. If your users need to use your API’s from the front end implement some sort of session token policy so you know the front end calls are still being accessed from an authorized source. Implementing Authentication in your API is key to keeping the data that your API provides secure and in the hands of only the systems that are authorized to use it.

Be mindful of what data your API returns

‍I see it a lot in tech these days. Engineers will create an API endpoint that makes a call to a NoSQL database and dumps the JSON result to their HTTP response. While this is certainly easy and makes for small, clean code this is a very dangerous habit to get into. There could be API keys, encrypted or unencrypted values that users shouldn’t be seeing or database identifiers the user has no business knowing about. At Citadel we’ve implemented a layer in between the database and the API ensuring that only the fields we want in our responses are what’s sent. Not only does this make us mindful of what data is going out, but it future-proofs our security by ensuring that even if we add more fields to our database later on, they won’t accidentally leak out to the user.

So the key point here is to make sure you have a data transformation layer that is mindful of exactly what fields it’s returning. It’s easy to simply throw back whatever data is in the database, but it’s also a security nightmare.

Keep systems and libraries up to date

‍API’s are almost always built using 3rd party libraries and hosted on servers running operating systems and software. All of these points are opportunities for security vulnerabilities and new vulnerabilities are discovered every day. Here at Citadel we’ve implemented procedures to keep up to date with all firmware, software and libraries our APIs use, as new releases come out every day intended to fix security flaws and vulnerabilities. When developing an API make sure you have your own processes in place to keep your OS, software and libraries updated with the latest versions and patches.

One of the key components you can rely on as well is using open source libraries, which are fantastic for ensuring your projects remain secure. With open source projects there’s an entire community of developers dedicated to making a project successful, which means many eyes watching out and fixing security concerns.

Throttle your API

‍One of the big concerns when it comes to API’s is that it’s very easy to access data quickly. It’s very easy to write a script that can make one API call after another in a fraction of a second, opening the door to the possibility of scraping all the data from an API in a very short amount of time. By throttling your API you limit the amount of times a particular entity can make requests. Whether you throttle by IP address or authentication keys, it’s important to limit how many calls a system is making in quick succession to lower the possibility of your data being scraped by a script or bot.

Monitor your API

‍Implement logging with your API and track it’s usage. At Citadel we log as much data about the use of our API as we can and feed these logs into analytic software that allows us to closely monitor whether or not our API’s are being abused or if there’s a potential security threat. By monitoring your API you’re not only able to be proactive in preventing security concerns, but you’ll also gain valuable insight into how your users are interacting with your product and potentially make changes to improve their experience. This can be manually or by using third party services like AWS GuardDuty or Wallarm.

In a world where data is the most valuable commodity on the internet users are more conscious about how secure companies are keeping their data. It’s important now more than ever to keep a constant eye on the security of your API and ensure your keeping yours and your users data safe.

Learn more about how Citadel’s APIs can make employment and income verification easy and affordable at https://citadelid.com

Top comments (0)