Today the majority of applications depend on API’s to communicate from their back- end infrastructure and other resources .
As APIs are generally in contact with critical infrastructure and can potentially reveal sensitive information, makes APIs an attractive target for attackers.
So securing API infrastructure for uniform and secure communication is the need of hour.
Here’s how we can secure APIs ?
- Make sure the communication between machines is secure and end-to-end encrypted.
- Use of API keys to authenticate the device from where the call is being made
- Use of authorization token to verify whether a user is authorized to make a request or not.
- Use of least privilege principle, where more privilege can be given if required and can be revoked when there is no use.
- Use of an API gateway, as a properly configured gateway can help organizations to analyze, control and authenticate traffic.
How to secure API calls?
- Avoid using assigning general numeric id or incremental id to your users. As it is easy for an attacker to guess id or launch brute force attack against id parameter and access details of others for which they are not authenticated.Instead of numeric values use universally unique identifier to identify resources.
- Limit the number of requests made by a specific origin in a time frame. Failing doing this can lead to DoS (Denial of Service) attack as the server will try to respond to each request and may possibly run out of resources in no time.
- Avoid exposing information while making a request through url or in other form and limit information to as per required in response.Ensure that the information is encrypted when in transit and in rest.
- HTTP Methods like GET,POST,PUT,DELETE should be implemented to API’s endpoints,and must be in relation with users actions, like when a user makes a request to delete it should delete some thing and if methods doesn’t match the request type, a generic error should be delivered like ERROR 405.
- Implementation of an API gateway, can help in uniform and great performance and in managing API traffic.
How to secure API gateway?
API gateways play an important role in securing API as they are solely responsible for rerouting APIs, aggregating data from many resources, managing multiple endpoints to manage traffic, continuity and are capable of detecting attacks.
- API gateways are responsible for authentication hence a secure authentication mechanism is setup using API key, auth tokens. There are also other options based on identity access management and Amazon Cognito. .
- Sanitize the user input to prevent injection, XSS like attacks. As a malformed input can mess with the gateway to get an unintended result.Along with it that limit the size of the body, like if a message size is in MBs and we are not supposed to receive that, then don’t mind to filter them out.
- Validate the content type if it isn’t relevant then give a generic error like ERROR 406.
- Check for the version, make sure it is up-to-date, and avoid running unnecessary services.
- Remove development leftovers like debug mode, unused components, features and documents.
How to secure API keys?
- Using a secure method to generate a key should be unpredictable and unique like jwt secret to make the brute-force unrealistic and the mode of transmitting the key should be encrypted/secure.
- Using an independent key for different services will limit the scope of the key.
- Implementing a max age for a key , this can vary from an hours, weak to month as per the use and authority.
- Implementation of secure mechanism to regenerate API key, and disabling the previous key when the user requests for new.
- Revoke keys that are no longer in use.
So far we have discussed how we can secure our API overall structure, In upcoming blogs we shall discuss how we can test our API security.
A enormous growth is seen in use of API as well as attacks on them over a period of time.
Securing APIs aim to implement secure authentication and authorization mechanisms based on user privileges , to secure sensitive information , and individual identity. And to provide an unhindered and continuous secure service.