top of page
Search

11 points of consideration for rest api security

Writer: Askao Ahmed SaadAskao Ahmed Saad
Nov 1, 20182 min read

Updated: Nov 3, 2018

short points recommended if you develop rest api for security consideration





1. Brute forcing :

  • limit logins tries

  • limit forget password token expiration time (30 min for example)

  • use captcha in FE side

2. Request rate limiting :

  • put request rate limiting in the application level, in the server configuration level, and firewall to prevent much requests per second and Dos attacks

3. Sql Prepared Statements

  • if you use raw sql quires make sure that you use sql prepared statements with it to avoid SQL injection attack

4. prevent xss

  • make sure that you don't store data with html tags or malicious js code by filtering or sanitizing this data

  • no big fear from xss attack in rest apis because it's stateless so it became low risky but it may cause CSRF attack if you use cookies in some scenarios

5. Input Validation

  • before entering to your business logic validate each request input param with rules cares about it's suitable data type, if it shows meaningful/logical data, and it's requiring

6. Request & Response content type

  • if you don't use rest framework that deals with request and response content type make sure that you accept json/xml content type and also response with json/xml

7. Database accessibility

  • limit the accessibility of you rest api database use like it shouldn't drop or dump the database

8. Logging

  • log all clients requests details

  • track and log all clients weird behaviors like (many invalid authentication tires, and many invalid forget password)

  • notify yourself with all those weird behaviors and also notify the users that have many Invalid authentication tries for example

9. tokens

  • Use long hash length

  • Access tokens should have limited expiration time and should have only white list permission on certain endpoints

  • it's better to bind access tokens with specific device name or user agent

  • Api tokens should have certain defined accessibility types

10. Add security tool to your continues integration environment

  • choose a security tool compatible with your programming language in your continues integration environment to make sure you merge and deploy safe code

11. error handling

  • avoid showing details exceptions/errors and show proper error handling response instead

 
 
 

Comments

Post: Blog2_Post
bottom of page