What is the best way of securing a REST API? [closed]

Question

I am developing a REST API with Java using Jersey and what is the best way of securing it? I looked at various things from password based authentication, Servlet Context , and I heard about tokenization and so on. But what is the industry standard way to secure it and make sure nobody can get data from a GET request by just typing the URL in browser, simply make a POST calll from PostMan and so on? Any learning materials on implementing this best way?

In simple English, what i am asking is, how can I secure my REST API by making sure the API is accesible only to our app?. The method of doing it can be anything from password to token. I am learning it now trying to implement it, but before I need to know what to learn, because I am looking for the best practice and industry standard way of doing so.

Answer 1

Here is pretty good place to start to secure your API:

1. Use HTTPS
2. Use username/password for authentication
3. When user successfully logs in, you generate a token for them
4. Assign the token to that user (easy way is to save it in a DB)
5. Require the user to send that token with every request
6. Validate the token before responding to any request

That being said there are some concerns. You should research how to achieve these:

• Store credentials in your DB in an encrypted form in case your DB is compromised.

• If you store your tokens in a DB, validation requires a DB lookup, will that be an issue, are you expecting heavy load?

• If you use a stateless authentication, for example a JWT then how do you revoke access if you need to. (Hint: look into access+refresh token scheme + a blacklist)

• How do you transport your token(s), header, cookie?

• Protect your API from cross site scripting(a.k.a. XSS) and cross site request forgery(a.k.a. CSRF or XSRF).

NOTE: these are just some quick thoughts off the top of my head, you can find a lot of information about these online.