Noorisys
Book a Founder Strategy Call

REST API SECURITY

  • August 31, 2024
  • ANSARI RIZWAN
Overview
  • Authentication is a common way to handle security for all the application.
  • The basic keyword engaged in this process is “Authentication” and “Authorization”.
  • Authentication can be defined as the process of verifying someone's identity by using pre-required details (Commonly username and password).
  • To secure the information which will be rendered on the client side then it should be controlled to access the data with Authentication.
  • Currently, a lot of websites have integrated with a security system to protect their data from hackers, and to protect data they should access the Rest APIs securely.
Rest API Security MethodsFollowing are the commonly used Rest API security methods which can be used to protect the Rest API access from hackers.
  • Cookie-Based authentication.
  • Token-Based authentication.
  • Third-party access (OAuth, API-token).
Cookie-based authentication.
  • has been the default method for handling user authentication for a long time.
  • The client posts the login credential to the server, and the server verifies the credential and creates a session id which is stored in the server and returned to the client via a set cookie..
  • On subsequent requests, the session id from the cookie is verified in the server and the request gets processed.
  • Upon logout, the session id will be cleared from both client cookie and server.
     
Token-based authentication.
  • Single page application (SPA) and statelessness (RESTful APIs) of the application
  • There are different ways to implement token-based authentication, we will focus most commonly used JSON Web Token (JWT)
  • On receiving the credentials from the client, the server validates the credentials and generates a signed JWT which contains the user information. Note, that the token will never get stored in the server.
  • On subsequent requests, the token will be passed to the server and gets verified(decoded) in the server. The token can be maintained on the client side in local storage, session storage, or even in cookies.
REST API SECURITY
Third-party access (OAuth, API-token)
  • If we have a need to expose our APIs outside of our system like third-party app or even to access it from mobile apps, we end up with two common ways to share the information.
  • Via API-token which is the same as JWT token, where the token will be sent via Authorization header which will get handled at API gateway to authenticate the user.
  • The other option is via Open Authentication (OAuth), OAuth is a protocol that allows an application to authenticate against a server as a user.
    The recommendation is to implement OAuth 1.0, or OAuth 2.0. OAuth 2.0 relies on HTTPS for security and it is currently implemented by Google, Facebook, Twitter, etc. OAuth 2.0 provides secured delegate access to a resource based on the user.
Selection Of Rest API Security Method.

  • If you have to support a web application only, either cookies or tokens are fine - for cookies think about CSRF, for JWT take care of XSS.
  • If you have to support both a web application and a mobile client, go with an API that supports token-based authentication.

Best Practices to Secure REST APIsOFFER YOUR API OVER HTTPS

  • APIs are accessed directly from within an application
  • Makes setting up HTTPS easier, as you do need to support a redirect from HTTP
  • Simply disable HTTP for your API endpoints altogether.
Network-based attacks can still attempt a fallback to HTTP.
  • Configure HTTP Strict Transport Security (HSTS) to prevent this from happening.
  • HSTS will tell the browser to use HTTPS for every request, regardless of the scheme.