Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the best way of securing a REST API? [closed]

I am developing a REST API with Java using Jersey and what is the best way of securing it? I looked at various things from password based authentication, Servlet Context , and I heard about tokenization and so on. But what is the industry standard way to secure it and make sure nobody can get data from a GET request by just typing the URL in browser, simply make a POST calll from PostMan and so on? Any learning materials on implementing this best way?

In simple English, what i am asking is, how can I secure my REST API by making sure the API is accesible only to our app?. The method of doing it can be anything from password to token. I am learning it now trying to implement it, but before I need to know what to learn, because I am looking for the best practice and industry standard way of doing so.

like image 766
PeakGen Avatar asked Mar 09 '17 12:03

PeakGen


People also ask

How do I protect public REST API?

Use HTTPS/TLS for REST APIs As one of the most critical practices, every API should implement HTTPS for integrity, confidentiality, and authenticity. In addition, security teams should consider using mutually authenticated client-side certificates that provide extra protection for sensitive data and services.

Which is the most secure way to use an API key?

So instead of storing the key in plain text (bad) or encrypting it, we should store it as a hashed value within our database. A hashed value means that even if someone gains unauthorised access to our database, no API keys are leaked and it's all safe.

Can you encrypt secure when you are doing REST API integration?

Since REST APIs use HTTP, encryption can be achieved by using the Transport Layer Security (TLS) protocol or its previous iteration, the Secure Sockets Layer (SSL) protocol. These protocols supply the S in “HTTPS” (“S” meaning “secure'') and are the standard for encrypting web pages and REST API communications.


1 Answers

Here is pretty good place to start to secure your API:

  1. Use HTTPS
  2. Use username/password for authentication
  3. When user successfully logs in, you generate a token for them
  4. Assign the token to that user (easy way is to save it in a DB)
  5. Require the user to send that token with every request
  6. Validate the token before responding to any request

That being said there are some concerns. You should research how to achieve these:

  • Store credentials in your DB in an encrypted form in case your DB is compromised.

  • If you store your tokens in a DB, validation requires a DB lookup, will that be an issue, are you expecting heavy load?

  • If you use a stateless authentication, for example a JWT then how do you revoke access if you need to. (Hint: look into access+refresh token scheme + a blacklist)

  • How do you transport your token(s), header, cookie?

  • Protect your API from cross site scripting(a.k.a. XSS) and cross site request forgery(a.k.a. CSRF or XSRF).

NOTE: these are just some quick thoughts off the top of my head, you can find a lot of information about these online.

like image 165
Norbert Bicsi Avatar answered Oct 13 '22 01:10

Norbert Bicsi