How to Secure your REST API from Malicious Attacks
API and Micro-services are now the de facto method for developing applications. All modern applications regardless of size are likely using API’s to separate out the application and UI layers. Companies are also taking legacy applications and breaking up the product into much smaller manageable pieces. Since the nature of API is to seamlessly serve data to a variety of front end services, making sure to follow some basic security rules is very important.
There are a number of Web API methods, such as Representative State Transfer (REST), Simple Object Access Protocol (SOAP), Remove Procedure Call. However, most modern applications are now using REST, which has become the de-facto model.
However, over the past few years REST has become the defacto standard for web applications. While there are some benefits to SOAP, such as built-in stateful operation and depending on the business requirements stateful operation, most SOAP implementations have been implemented to support legacy applications.
REST on the other hand can be found in a number of modern implementations due to its ease of use. Almost all Public API’s are currently developed using REST. The implementation is easier since it allows URL response and there are a number of tools on the market that help with your implementation.
Even though REST is stateless, it is well suited for applications that require contestant back forth between the client and server. This is mainly due to the way that REST allows retries from clients without interrupting the service.
However, API’s do share some of the same security considerations as a standard web application, there are some unique scenarios and steps you need to take to secure your API
One of the most basic steps you can take is to make sure that all your API calls are done via HTTPS and not through clear text HTTP. This ensure that any parameters that you pass through to the back end server are secure.
A lot of time authorization is confused with access. However, they are completely different concepts. Access is giving the key to the user to get into the API, while authorization is access level control to control what the user can do within the API. Setting granular permissions and controlling authorization is very important to a establishing good security.
There are a number of ways to setup access to the API. However, Oauth has become the de facto standard. While you can certainly use standard username and passwords, your API connection could break if passwords expire or are changed.
Most API’s are served over standard HTTP protocol.
One of the most important steps in securing your API is to validate all incoming traffic to the API. This can be done through Whitelists or typing among other popular methods. The key factor here is to reduce the footprint where potential attackers can compromise your API.
Cross-Site Request Forgery Attack
CSRF protection is generally not necessary in an API environment, as long as the party connecting to the API is not a browser. If there are browser based, such as clients using standard username and password, then CSRF is important to implement.
API injections is when malicious code is passed through a normal request to bypass security either using cross site scripting (XSS) or SQL Injection (SQLi). Malicious scripts are passed to API that don’t perform the necessary security checks. These attacks can also pass SQL commands, and get full access to the underlying database tables. If requests are not sanitized correctly, hackers can easily pass malicious code to the API.