API are used to allow two different applications to connect with each other. It’s becoming a very important element in today’s ever-evolving technology. So, what exactly is an API and what is API security? Check out the explanation below before discovering the 6 best API security practices!
What is API?
API stands for Application Programing Interface. In computer programming, APIs are protocols and tools used to build software and applications. Simply explained, an API is a kind of interface that has a series of functions that allow programmers to access specific features or data.
API Best Practices
Technology is evolving rapidly, unfortunately so are cyberattacks. Therefore, securing APIs has become very important in business. Especially there are some reports that indicate that APIs are quite fragile and easy to attack.
There is no need to worry because there are now secure API best practices. API providers can get rid of various attacks that arise. Here are 5 API security best practices to consider when designing and developing web API:
1. Always Use Gateway
Gateway APIs centralize traffic features and apply them to every request that comes into the API, just as the name suggests, gateways serve as gateways. The features trying to get into this API may be security-related, such as throttling, proper logging, and blocking malicious clients. Although it could also be business-related and more practical, such as collecting business metrics.
If we don’t use a gateway, we won’t be able to control if features come in that could jeopardize the API. Without a gateway, the API provider would have to equip each of these features with safeguards one by one at the final stage, which would be more cumbersome. On the other hand, if you’re equipped with a gateway from the start, it will make the process of fixing features much easier. Fortunately, we can now find a variety of API products in the market.
2. Always USe an OAuth Central Server
Next, don’t let the API or gateway issue access tokens. By using a centralized OAuth server, the token should always be issued. Issuing tokens requires a complicated process. Starting from checking whether the client is authentic or not, authentic user or not authorizing the client, signing the token, and others.
All of the above functions require access to different data, such as client-related info or the chosen authenticity checking mechanism. Moreover, if multiple entities appear and issue tokens, it is very difficult to handle all of them at the same time. There is only one entity that can handle this process properly and securely, and that is the OAuth server.
3. Only Use JSON Web Tokens Internally
When it comes to APIs, using web JSON Web Tokens (JWTs) as access and refresh tokens is considered best practice. API services capable of accepting JWTs can utilize the information to make informed business decisions. For example:
- Are callers allowed to access certain resources?
- What data can and cannot be obtained by the caller?
- etc.
However, when tokens are exposed outside the infrastructure, especially when exposed to third-party clients, it is strongly recommended to use opaque tokens instead of JWTs. The information contained in the JWT is very easy to decode and therefore available to everyone. If the JWT is public, then privacy will be an issue. It must first be ensured that there is no sensitive data that the JWT claims.
Furthermore, if we share the JWT with a third-party client, it is likely that the client will start to rely on the data contained in the JWT. This can be a new responsibility to control, even if the data is not sensitive. If the integrator has already started to rely on the content inside the JWT, changing the token claims will result in other changes that end up in disruption. if this happens, there will need to be a costly implementation upgrade for all third-party clients.
If you want to use opaque tokens externally, but also benefit from JWT for internal communication, then there is a solution. Use 2 approaches, namely the phantom token approach or the split token approach. Both require an API gateway in the process, especially to translate opaque tokens into JWT.
4. Use Scope for Coarse-Grained Access Control
OAutg’s dSkop limits the capabilities of access tokens. If any client credentials are stolen and have limited scopes, the attacker will have limited power. Therefore, make sure to always issue tokens with limited capabilities. Scope token verification can be done at the API gateway to restrict malicious traffic from entering the web/API.
This is the importance of using scopes when controlling access during coarse grained. These controls can include checking whether requests with certain access tokens can query certain resources or verifying clients can use certain types of content.
5. Use Claims for Fine-Grained Access Control at the API Level
Always make sure to implement fine-grained access control at the API level. These access controls can be used on all controls performed at the API gateway level and should be designed in such a way that even the slightest threat passing through the API gateway can be rejected by the API. This practice will greatly protect the API, regardless of the means used by the attacker.
Fine-grained access control focuses on securing the API from a business perspective. The API is required to verify incoming requests. Whether the caller has rights to the data and what data can be obtained based on the caller’s identity (both for clients and users).
6. Don’t Trust Anyone
Zero trust is not just a term, but APIs must severely limit incoming traffic. Period. One way to build zero trust is to use HTTPS for all API traffic. If possible, use HTTPS internally so that traffic between services cannot be tracked.
The services we use should always verify the incoming JWT, even if it is an opaque token. Again, this will take care of the situation and prevent anything from jeopardizing the API and the data within it. Make sure to always monitor the network to keep it safe. Use the services of Netmonk, a network monitoring solution provider in Indonesia that simplifies the complexity of network problems. Visit the site now and try Netmonk Prime for free!
Reference:
https://curity.io/resources/learn/api-security-best-practices/
