Rest API Security - Fundamentals to Details
Rest API security is important and thus part of the API design considerations. Akamai research on API traffic shows 83% of the traffic is attributed to API. So no wonder Web APIs would be a prime target for cyber attack. Rest API accounts to 93.4% of the API implementation model and they are intentionally meant to interact with outside components, ranging from internal IT services to open public. Thus Restful security becomes very important for an organization that maintains API platform. As Restful APIs are built on HTTP protocol and established frameworks and standards, industry established security methods from Basic Auth to API keys could be used for Rest API Security.
Rest API security should be implemented respecting the security principles of information systems in general. On Restful APIs security should cover the entire Authentication and Authorization aspects. Authentication makes sure if the an API call is coming from a genuine source and authorization checks if that source has access to a certain functionality within the API. For example, a client application for a Banking API could successfully login, yet it may not have access to delete an account. In this scenarios, the client is authenticated as genuine but not authorized to delete an account.
Rest API Security Principle
Basic principles of information security has to be kept in mind while designing Rest API security.
1. Economy of Mechanism
KISS (Keep it Simple, Stupid) methodology is equally valid in security. The simplicity should be considered in design, lesser the complexity easy to manage and make it secure.
2. Fail Safe Default
Do not give access by exclusion, ie, do not tell the system one has all access except DELETE. There are could be other operations that might be implemented later or simply has more power than the access granter thought. So, if you want to give an access, give that explicitly.
3. Complete Mediation
In web applications, it is a common (but amature) security oversight is when implementing Roll Based Access Control ( RBAC). Once a user logs in, the role and access levels are checked for this user and menus as displayed in the UI. Then the user can perform any actions possible by the menus. This principle states that, in such cases, each operation performed by the menu also be checked for permission. Otherwise, the user might share the menu like to someone and that person could also perform action not intended for that user.
This principle thus require proof of identification for each request. Since Rest API is stateless, it makes even more sense.
4. Open Design
Your security method should be open nd use industry tested and proven methods. Following this principle, In Rest API, you should use TLS for secure data transfer, instead of devising your own obscure encryption. For authentication you should use, standard mechanisms such as OAuth. This concept extends to all other layers of security.
5. Separation of Privilege
You go to a bank locker, and you have your key with you. However, you cannot open the locker just with that key. The banker also, has to use their key. This ensures that even if you lost your key and someone else got it, still they can't operate as they don't have banker's key. In information technology, it is the same concept - do not have privileges trusted to only one mechanism or party.
In a computer system, separated keys apply to any situation in which two or more conditions must be met before access should be permitted.
Multi Factor Authentications are common and that surely improves the security. In Rest API security, it could mean applying more than one condition to give access to API - is it coming from approved set of IP addresses AND does it have a valid key.
6. Least Privilege
You do not give a role more access than it is required. Define RABC appropriately and provide least privilege to each role that is just enough to perform the operations and maintain it.
7. Least common mechanism
Involve minimal components and systems to perform an operation. This protects, and minimizes the damage in other systems, if there is a breach, as minimum systems are involved.
8. Psychological Acceptance
Do not make use cases complex and non user friendly because of the security. Once the security check is done, the system should work as smooth as before security is implemented.
Rest Security Best Practices
In Rest API security principles has to be applied in multiple levels.
Align with Industry Standards
Design your API aligning with Industry standards and use proven tools. This enables you to get support of a community of developers and security experts. Following this point, you would make your specification in OAS 3.0 instead of coming up with your own definition.
Use API gateways of trusted partners and it will give you better security than hosting it yourself.
Keep it Simple
This is again, basic security principle. You API layers should be clear and the communication between them should be simple and manageable.
Use TLS/SSL for Connection Security
Connection must be secured using SSL or TLS resulting in a https URL. Information back and forth the server and client will be encrypted and hard to crack, even if someone sniffs the packages from the network.
Authenticate using Proven Methods
Rest API could be authenticated with the common Rest API authentication methods. Do not keep an API open and public and free to access without limit. Use may use Basic Auth to OAuth 2.0 for this purpose.
Enforce RBAC Roles
If a client belongs to certain role, open only the needed functionality to that client. It will not only safeguard from intentional attack, but also from accidental calls to sensitive operations due to a bug or misconfiguration at the client side. Any request beyond the access level of the client should be responded with 405 - not allowed response code.
Reduce Network Traffic of Sensitive Data
You need to make sure you are not transporting sensitive data more than enough in a API call. Do not send any data for that matter, if it is not needed, and be careful when you send sensitive data, such as social security number.
Use Header instead of URL for sensitive data
If the sensitive data to be sent, consider to send via header than as URL query parameter. URLs are logged in various stages of the system including web logs, and that could be exposed many places.
Use Timestamp for dynamic encryption
If you are sending encrypted data, consider adding timestamp to it. The information sent, will be different each time, even using the same key for encryption, as timestamp has changed. The receiving end could simply take out the timestamp and use the information. Timestamp also could be used to check the time frame between request and response, if you think the operation is valid for only a certain timeframe.
Store Data Encrypted
If you are storing a sensitive information, consider encrypting it, so that the even if the data is exposed, it will not be readable in its stored form. Use a proven hashing mechanism to achieve this functionality.
Use Security Headers in Response
Just like a web application, Rest APIs are vulnerable to cross site attack, protocol downgrade attack and so on. Http Security Headers could be employed as a protection against it.
Validate Input
Input could contain malicious data, huge data that can break the system. Have a checks and balances for such data. Allow that data that conforms to the standards and protect your application and database from malicious data such as executable file uploads and SQL injection.
Protect Public API using Keys
Just because you are exposing a public API, do not make it unlimited. Avoid, DDoS and API abuse using a API key. The client should obtain a key, with which it can identify. The server can use it to track and throttle, if needed.
Conclusion
Rest API security is important as many organizations are building platform using Rest Model and usage and network traffic of the APIs are increasing. The basic security principles of information protection is still valid in Rest API security as well. There are standard security mechanism available in the industry to protect Rest API. Security must be done using these proven tools and frame works and aligning with industry standards.