A couple of months ago, I stumbled upon this list of 16 practices to secure your API:
- Authentication: Verifies the identity of users accessing APIs.
- Authorization: Determines permissions of authenticated users.
- Data redaction: Obscures sensitive data for protection.
- Encryption: Encodes data so only authorized parties can decode it.
- Error handling: Manages responses when things go wrong, avoiding revealing sensitive info.
- Input validation and data sanitization: Checks input data and removes harmful parts.
- Intrusion detection systems: Monitor networks for suspicious activities.
- IP Whitelisting: Permits API access only from trusted IP addresses.
- Logging and monitoring: Keeps detailed logs and regularly monitors APIs.
- Rate limiting: Limits user requests to prevent overload.
- Secure dependencies: Ensures third-party code is free from vulnerabilities.
- Security headers: Enhances site security against types of attacks like XSS.
- Token expiry: Regularly expiring and renewing tokens prevents unauthorized access.
- Use of security standards and frameworks: Guides your API security strategy.
- Web application firewall: Protects your site from HTTP-specific attacks.
- API versioning: Maintains different versions of your API for seamless updates.
While it’s debatable whether some points relate to security, e.g., versioning, the list is a good starting point anyway. In this two-post series, I’d like to describe how we can implement each point with Apache APISIX (or not).
This article has been indexed from DZone Security Zone