Web API Security

01. API Keys

• Identify and authenticate Clients

02. Input Validation

• Never rely on Ul for validation, validate each field on the API

03. https over TLS V1.2

• Valid and strong certificates must be used

04. OAuth 2.0

• Secure authentication with authorization flows

• Control delegated access with claim-based Authorization

05. Content Security Policy

• Though mainly used in web apps, you can return API response header with strict CSP policy

06. Web Application Firewall

• Complete suite solution to protect site from XSS, CSRF, DoS, DDoS and other threats

07. Basic Authentication

• base64-encoded basic client authentication (must be over https)

08. SOP and CORS

• Only relax same-origin policies with correct and specific CORS policies

09. IP White-Listing

• Only allow clients with specific IPs to access your API

10. Hash Keys, Secrets

• Store API keys or secrets hashed using strong hashing functions

11. Sanitization

• Avoid cross-site scripting (XSS) by escaping dangerous scripts in the input

12. Rate Limiting

• Based on IP, domain

• Reduces brute force and DoS and DDoS Attacks

---

Api Security Practices

• Authentication

• Authorization

• Rate Limiting

• Input Validation & Data Sanitization

• Encryption

• Error Handling

• Logging and Monitoring

• Security Headers

• Token Expiry

• IP Whitelisting

• Web Application Firewall

• API Versioning

• Secure Dependencies

• Intrution Detection Systems

• Use of Security Standards and Frameworks

• Data Redaction