4 API Security Best Practices
APIs have become an integral part of today's web applications. Developers use APIs to access the internal capabilities of application software. Most applications use third-party APIs to build an ecosystem around their products.
Security practices for API integration are evolving rapidly in response to the growing threat of cyberattacks. This post explains four important API security best practices to avoid API hacks.
What Is an API?
An application programming interface, or API, is software that acts as an interface between applications. Everyone uses APIs in daily life. For example, when you check the weather on your phone or send a message to someone using an application, you're using an API either directly or indirectly.
APIs can enable applications to access sensitive functionalities such as embedding Google Maps on your website or fetching data. Thus, they have become a common target for attackers, causing API security to evolve.
What Is API Security?
API security is a practice for protecting and securing APIs. APIs might be vulnerable and can leak sensitive information because of poor design, so it is important to address API vulnerabilities using security best practices. Now that we understand what API security means, let's see why it’s important.
Some companies don't adopt security best practices during development of APIs. Instead, they wait until there's a breach that leads to data leakage or other risk. This leads to an increase in the number of successful API attacks. Secure your APIs to prevent API data leaks or hacks.
Let's examine some of the security best practices that you can implement to protect your APIs.
4 Common API Security Best Practices
Here are our top four API security best practices.
1. Use an API Gateway
An API gateway is a tool that manages all the API calls from a client. It acts as a middleman between the client and backend services. API gateways accept all API calls and sends them to all the services required to fulfill them to provide the appropriate results. It acts as a single point of entry into your system of microservices.
Why adopt an API Gateway?
API gateways handle functions used among all services like authentication, logging, rate-limiting, and so on. The functions of an API gateway will vary depending on the implementation and your company’s requirements.
For example, if you want to log the use of an API, you can integrate it into an API gateway. This saves you from implementing the security functions individually for each API, yet it still protects against security flaws in any of the individual APIs. An API gateway conveniently secures your services and makes sure you don’t miss any security vulnerabilities in one or more microservices.
2. Implement Rate Limiting
We know that excessive use of an API can slow performance, and that's why we need to apply a limit on API requests, referred to as rate limiting, but what exactly is rate limiting?
Rate limiting is a method to control, or limit the network traffic. It restricts the number of times a user can access a given service within a given time period. It reduces the strain on your web servers and prevents malicious activities like brute force attacks.
Rate limiting is a crucial component of API security that prevents a distributed denial of service, or DoS attack, from filling your server with unlimited API calls. Rate limiting also helps with scaling APIs, because it can manage high traffic efficiently and prevent your server from slowing down.
You implement rate limiting based on either user ID or IP address.
- Rate limiting based on IP address: You would use this method when a user runs an attack against an API and has already prepared a lot of unique email addresses to send unlimited requests using different accounts. An IP-address-based rate limit would not allow attackers to send unlimited requests from the same IP Address, even when they have numerous unique identifiers.
- Rate limiting based on user ID: When bad actors attack an API (as discussed above), they might switch to different IP addresses, while keeping the same user identifiers. In this case, you’d use rate limiting on user IDs to limit the number of requests from an identifier within a given period.
Companies usually implement hybrid rate-limiting by mixing both approaches.
Why Use API Rate Limiting?
API rate limits can throttle the connection instead of completely disconnecting users if they send too many requests. You can achieve this by creating a delay in executing a function or by calling a function only once within a specified period. The limit protects the API but keeps the client connection intact and provides complete services to the client.
You can choose one of several convenient, easy to use existing services for queuing requests. Examples include Amazon Simple Queue Service (ASQS) and Android Volley.
Rate limiting protects the server from lagging and provides a good experience on both the client and the server side. It secures the APIs and server from unlimited requests, whether executed on purpose or not, without actually disturbing the functionality of the APIs.
3. Avoid Relying on User-Controlled Input
For better API security, you should not depend on user-controlled inputs to provide any response or data. Attackers can tamper with a request or response to get the sensitive information of any user. Rather than depend on a user's request input, you should fetch most of the required inputs from protected signatures.
Let's explain this more with an example: Let's say a user visits their profile page and tries to view their credit card details. The API used to fetch the details relies on the user identifier and sends it back to the user as a response. In this case, the user identifier is a user-controlled input. The user can change the user ID to someone else's user ID and get that user’s private details by using any proxy tool.
So, avoid relying on user inputs, but if you do, verify that the person’s information goes only to the correct person. One of the ways of doing this is to use a checksum. The checksum is a digital signature that verifies the message's source. It prohibits others from, for example, sending payment requests in your name, as well as tampering with other requests.
4. Using Proper Authentication and Authorization
Before explaining how authentication and authorization can help you secure your API, let’s look at what these terms mean.
Authentication: This is the task of identifying and verifying a user. Authentication is accomplished by providing a set of credentials (a username and password, for example) to an API, which then checks a database of valid usernames and passwords, and grants or denies access accordingly.
Authorization: When developing complex applications, you may encounter some cases where information should only be available to someone in a specific role such as admin or super admin. Such information should always go only into the right hands, as it can contain sensitive data. Checking whether or not a user should have access to that information or resource is known as Authorization.
Nowadays, the most commonly used authorization token used is JSON Web Token (JWT). But what exactly is a JWT? A JWT is a way of transferring information between servers and browsers using a JSON Object. It's a string, encoded using base64 and formed from three parts separated by dots: a header, a payload, and a signature. JWT is a secure method of authentication to validate a user. Using token-based authentication reduces reliance on user-controlled inputs.
Please note, all of the approaches mentioned above may have different implementations in different programming languages, but the concepts remain the same.
Wrapping it up...
We’ve talked about how you can use API security to help protect your apps, your business, and your users. Hopefully, we agree on the importance of taking a proactive approach, because it’s not just about protecting your business and your users. It’s also about protecting your brand. We hope you found this guide helpful. If you’d like to learn more, we recommend you check out the Traceable AI API Security guide, which is a comprehensive reference guide. It’s a great resource.
This post was written by Keshav Malik. Keshav is a full-time developer who loves to build and break stuff. He is constantly on the lookout for new and interesting technologies and enjoys working with a diverse set of technologies in his spare time. He loves music and plays badminton whenever the opportunity presents itself.
The Inside Trace
Subscribe for expert insights on application security.