REST API (Representational State Transfer API) is an application programming interface developed by Roy Fielding. It is also known as RESTful API. In CCNP ENCOR, both REST API and REST API Security is covered. In this lesson, our focus will be REST API Security and we will describe REST API Security.
Table of Contents
With REST APIs, CRUD operations are done between clients and servers. CRUD operations are Create, Read, Update and Delete operations. REST APIs are the most common APIs. Almost %80 of APIs today are REST APIs. For this reason, it is very important to secure REST API towards any vulnerabilities.
REST API uses HTTP (Hypertext Transfer Protocol) for the communication between clients and servers. In today ‘s world, HTTP (Hypertext Transfer Protocol) is not a secured protocol. Using HTTP can make your system vulnerable to various attacks like SQL injection, cross-site scripting (XSS) etc.
To overcome these weakness of REST API, there are some REST API security practices. These are given below:
Authentication and authorization are the first important practice to describe REST API Security. Before accessing the system, users are validated by Authentication. Authentication mechanism that is used here, can be a basic authentication or OAuth, JWT etc. Beside authentication, the user roles and availabilities are important. We provide this with authorization. To implement authorization, role-based access control (RBAC) or attribute-based access control (ABAC) can be used.
As we have mentioned above, REST API uses HTTP and HTTP is not a secure protocol. To overcome this weakness, HTTPS can be used. With HTTPS, we can prevent ourselves from any attacks like eavesdropping etc. If you see HTTPS, this means that TLS is enabled and the information will be encrypted. TLS (Transport layer Security) is the updated more secure version of SSL.
To prevent high number of requests, rate limiting can be used. Rate limiting prevent API abuse and API overloading. Because there an be high number of requests towards your API. By using rate limiting, we can prevent our system towards brute force attacks.
With data validation, we can prevent REST API towards malicious attacks. This method prevents any unwanted data injection to the system.
Attacks are developing every day. And APIs are being updated with patches. By upgrading APIs, you can prevent your system towards updated or new attacks.