I am developing a REST API with Java using Jersey
and what is the best way of securing it? I looked at various things from password based authentication, Servlet Context
, and I heard about tokenization and so on. But what is the industry standard way to secure it and make sure nobody can get data from a GET
request by just typing the URL in browser, simply make a POST
calll from PostMan
and so on? Any learning materials on implementing this best way?
In simple English, what i am asking is, how can I secure my REST API by making sure the API is accesible only to our app?. The method of doing it can be anything from password to token. I am learning it now trying to implement it, but before I need to know what to learn, because I am looking for the best practice and industry standard way of doing so.
Use HTTPS/TLS for REST APIs As one of the most critical practices, every API should implement HTTPS for integrity, confidentiality, and authenticity. In addition, security teams should consider using mutually authenticated client-side certificates that provide extra protection for sensitive data and services.
So instead of storing the key in plain text (bad) or encrypting it, we should store it as a hashed value within our database. A hashed value means that even if someone gains unauthorised access to our database, no API keys are leaked and it's all safe.
Since REST APIs use HTTP, encryption can be achieved by using the Transport Layer Security (TLS) protocol or its previous iteration, the Secure Sockets Layer (SSL) protocol. These protocols supply the S in “HTTPS” (“S” meaning “secure'') and are the standard for encrypting web pages and REST API communications.
Here is pretty good place to start to secure your API:
That being said there are some concerns. You should research how to achieve these:
Store credentials in your DB in an encrypted form in case your DB is compromised.
If you store your tokens in a DB, validation requires a DB lookup, will that be an issue, are you expecting heavy load?
If you use a stateless authentication, for example a JWT then how do you revoke access if you need to. (Hint: look into access+refresh token scheme + a blacklist)
How do you transport your token(s), header, cookie?
Protect your API from cross site scripting(a.k.a. XSS) and cross site request forgery(a.k.a. CSRF or XSRF).
NOTE: these are just some quick thoughts off the top of my head, you can find a lot of information about these online.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With