Shulou(Shulou.com)05/31 Report--

In this issue, Xiaobian will bring you a checklist about the development of secure APIs. The article is rich in content and analyzed and described from a professional perspective. After reading this article, I hope you can gain something.

Here are some important security measures you need to check when designing, testing, and releasing your API.

identity authentication

Do not use Basic Auth using standard authentication protocols (such as JWT, OAuth).

Don't recreate Authentication, token generating, password storing these wheels, use standard ones.

Use Max Retry and autoblock on login.

Encrypt all sensitive data.

JWT (JSON Web Token)

Use random complex keys (JWT Secret) to increase brute force cracking difficulty.

Do not extract data directly from the request body, encrypt the data (HS256 or RS256).

Make token expiration time as short as possible (TTL, RTTL).

Do not store sensitive data in the JWT request body, it is hackable.

OAuth authorization or authentication protocol

Always verify redirect_uri in the background, allowing only whitelisted URLs.

Do not add tokens every time you exchange tokens (response_type=token is not allowed).

Use the state parameter and fill in random hashes to prevent cross site request forgery (CSRF).

Define default scope parameters and valid scope parameters for different applications.

access

Limit traffic to prevent DDoS attacks and brute force attacks.

Use HTTPS on the server side to prevent MITM attacks.

Use HSTS protocol to prevent SSL Strip attack.

input

Use HTTP operations such as GET, POST, PUT, and Delete that correspond to the operation and return 405 Method Not Allowed if the requested method is not applicable to the requested resource.

The content-type field in the request header uses content validation to allow only supported formats (such as application/xml, application/json...) 406 Not Acceptable.

Verify that the content-type published data is the same as the one you received (e.g. application/x-www-form-urlencoded, multipart/form-data, application/json, etc...) ).

Verify user input to avoid common vulnerabilities (such as XSS, SQL-injection, remote code execution, etc...).

Do not use any sensitive data (credentials, Passwords, security tokens, or API keys) in the URL, but use standard authentication request headers instead.

Use an API Gateway service to enable caching, access rate limiting (e.g. Quota, Spike Arrest, Concurrent Rate Limit), and dynamically deploy API resources.

processing

Check if all terminals are authenticated to avoid compromised authentication systems.

Avoid using unique resources id. Use/me/orders instead of/user/654321/orders

Use UUID instead of self-increasing id.

If XML files need to be parsed, make sure entity parsing is turned off to avoid XXE attacks.

If XML files need to be parsed, make sure entity expansion is turned off to avoid Billion Laughs/XML bombs implemented by exponential entity expansion attacks.

Use CDN in file uploads.

If you need to process large amounts of data, use Workers and Queues to respond quickly and avoid HTTP blocking.

Don't forget to turn DEBUG mode off.

output

Send X-Content-Type-Options: sniff header.

Send X-Frame-Options: deny header.

Send Content-Security-Policy: default-src 'none' header.

Delete Fingerprint Header- X-Powered-By, Server, X-AspNet-Version, etc.

Force content-type in response, if your type is application/json then your content-type is application/json.

Do not return sensitive data such as credentials, Passwords, security tokens.

Returns the appropriate status code at the end of the operation. (e.g. 200 OK, 400 Bad Request, 401 Unauthorized, 405 Method Not Allowed, etc.).

continuous integration and continuous deployment

Audit your design and implementation using unit tests and integration tests.

Use the code review process and don't approve yourself.

Make sure all components of your service are statically scanned with antivirus software before pushing into production, including third-party libraries and other dependencies.

Design a rollback scenario for deployment.

The above is what the list of development security APIs needs to be checked for everyone to share. If there is a similar doubt, please refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.