Proper security measures are one of the most important aspects of building an application programming interface, or API. It’s great for an API to connect systems and give developers access to the data and functions they need to create new apps and digital experiences, but only if those connections and that access are protected.
For the API provider, this requires a balance. One of the main purposes of an API is to help developers get things done—and no one wants to work with a locked-down tool whose security mechanisms get in the way of productivity. An API is worthless if developers aren’t consuming it, so ease-of-use is important.
This means API providers should generally avoid the kind of complex systems dependencies and heavy-handed governance models that typified previous generations of IT strategy—but they also need to understand today’s threats and provide strong protections that don’t get in the user’s way. Here, based on our observations working with Fortune 500 companies, are four security cautions that may help API teams strike this balance.
APIs without authentication
APIs are the keys to an organization’s databases, so it’s essential to control who has access to them. Industry-standard authentication and authorization mechanisms such as OAuth/OpenID Connect, in conjunction with Transport Layer Security (TLS), are crucial.
Injections have emerged as one of bad actors’ favorite attack vectors. This threat comes in many forms, but the most typical are SQL, RegEx, and XML injections. APIs should be designed with an awareness of these threats and efforts made to avoid them—and active monitoring should be employed after APIs are deployed to confirm no vulnerabilities have made it to production code.
As concerns around security escalate, encryption of data needs to be a top priority for enterprises. Ideally, sensitive information is encrypted from the point where data is captured through transit, all the way to where data is consumed. As the layer that passes valuable data between backend systems of record and frontend systems of engagement, APIs play an important role in this process. To go beyond the basic encryption and protections provided by TLS and authentication mechanisms, API providers should employ trace tools for debugging issues, implement data masking for trace/logging, and leverage tokenization for PCI & PII data.
When APIs are open to the public, they face the challenge of determining if incoming requests should be trusted. Is the request a customer? Or is it an attacker?
In some cases, even if the API detects and successfully denies an untrusted request, the API may nevertheless allow the potentially malicious user to try again—and again and again and again. This kind of security oversight may allow attackers to attempt to playback or replay a legitimate user request until they are successful. Counter measures against these brute force attacks include rate-limiting policies to throttle requests, HMAC authentication, two-factor authentication, or a short-lived access token facilitated by OAuth.
Data in URI
Implementing API keys for authentication and authorization is often sufficient. However, keys may be compromised if they are transmitted as part of the Uniform Resource Identifier (URI). Sensitive data, including API keys and passwords, may become accessible to attackers when URI details appear in browser or system logs. A best practice is to send API keys as a message authorization header, since doing so avoids logging by network elements. Use the HTTP POST method with payloads carrying sensitive information.
Accelerate business without compromising security
Potential threats can often be avoided by thinking critically about API design and establishing policies that can be applied across the business. Even though an agile, API-first approach often involves decentralizing IT management and giving individual teams greater autonomy to leverage valuable resources, security can never move to the background. Though some of the issues in this article may seem straightforward, we’ve encountered them more often than you might anticipate. Following these best practices can help you avoid breaches and help your business maximize the leverage provided by its APIs.
Contributing author: Vidheer Gadikota, Technical Solutions Consultant at Google.