API Security in Action

API Security in Action

by Neil Madden
Released January 2021
Publisher(s): Manning Publications
ISBN: 9781617296024

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.

About the Technology
APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs—including microservices and cloud-native applications—demand a comprehensive, multi-layered approach to security for both private and public-facing APIs.

About the Book
API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you’re done, you’ll be able to create APIs that stand up to complex threat models and hostile environments.

What's Inside
  • Authentication
  • Authorization
  • Audit logging
  • Rate limiting
  • Encryption


About the Reader
For developers with experience building RESTful APIs. Examples are in Java.

About the Author
Neil Madden has in-depth knowledge of applied cryptography, application security, and current API security technologies. He holds a Ph.D. in Computer Science.

Quotes
A comprehensive guide to designing and implementing secure services. A must-read book for all API practitioners who manage security.
- Gilberto Taccari, Penta

Anyone who wants an in-depth understanding of API security should read this.
- Bobby Lin, DBS Bank

I highly recommend this book to those developing APIs.
- Jorge Bo, Naranja X

The best comprehensive guide about API security I have read.
- Marc Roulleau, GIRO

Table of contents

  1. API Security in Action
  2. Copyright
  3. contents
  4. front matter
    1. preface
    2. acknowledgments
    3. about this book
      1. Who should read this book
      2. How this book is organized: A roadmap
      3. About the code
      4. liveBook discussion forum
      5. Other online resources
    4. about the author
    5. about the cover illustration
  5. Part 1. Foundations
  6. 1 What is API security?
    1. 1.1 An analogy: Taking your driving test
    2. 1.2 What is an API?
      1. 1.2.1 API styles
    3. 1.3 API security in context
      1. 1.3.1 A typical API deployment
    4. 1.4 Elements of API security
      1. 1.4.1 Assets
      2. 1.4.2 Security goals
      3. 1.4.3 Environments and threat models
    5. 1.5 Security mechanisms
      1. 1.5.1 Encryption
      2. 1.5.2 Identification and authentication
      3. 1.5.3 Access control and authorization
      4. 1.5.4 Audit logging
      5. 1.5.5 Rate-limiting
    6. Answers to pop quiz questions
    7. Summary
  7. 2 Secure API development
    1. 2.1 The Natter API
      1. 2.1.1 Overview of the Natter API
      2. 2.1.2 Implementation overview
      3. 2.1.3 Setting up the project
      4. 2.1.4 Initializing the database
    2. 2.2 Developing the REST API
      1. 2.2.1 Creating a new space
    3. 2.3 Wiring up the REST endpoints
      1. 2.3.1 Trying it out
    4. 2.4 Injection attacks
      1. 2.4.1 Preventing injection attacks
      2. 2.4.2 Mitigating SQL injection with permissions
    5. 2.5 Input validation
    6. 2.6 Producing safe output
      1. 2.6.1 Exploiting XSS Attacks
      2. 2.6.2 Preventing XSS
      3. 2.6.3 Implementing the protections
    7. Answers to pop quiz questions
    8. Summary
  8. 3 Securing the Natter API
    1. 3.1 Addressing threats with security controls
    2. 3.2 Rate-limiting for availability
      1. 3.2.1 Rate-limiting with Guava
    3. 3.3 Authentication to prevent spoofing
      1. 3.3.1 HTTP Basic authentication
      2. 3.3.2 Secure password storage with Scrypt
      3. 3.3.3 Creating the password database
      4. 3.3.4 Registering users in the Natter API
      5. 3.3.5 Authenticating users
    4. 3.4 Using encryption to keep data private
      1. 3.4.1 Enabling HTTPS
      2. 3.4.2 Strict transport security
    5. 3.5 Audit logging for accountability
    6. 3.6 Access control
      1. 3.6.1 Enforcing authentication
      2. 3.6.2 Access control lists
      3. 3.6.3 Enforcing access control in Natter
      4. 3.6.4 Adding new members to a Natter space
      5. 3.6.5 Avoiding privilege escalation attacks
    7. Answers to pop quiz questions
    8. Summary
  9. Part 2. Token-based authentication
  10. 4 Session cookie authentication
    1. 4.1 Authentication in web browsers
      1. 4.1.1 Calling the Natter API from JavaScript
      2. 4.1.2 Intercepting form submission
      3. 4.1.3 Serving the HTML from the same origin
      4. 4.1.4 Drawbacks of HTTP authentication
    2. 4.2 Token-based authentication
      1. 4.2.1 A token store abstraction
      2. 4.2.2 Implementing token-based login
    3. 4.3 Session cookies
      1. 4.3.1 Avoiding session fixation attacks
      2. 4.3.2 Cookie security attributes
      3. 4.3.3 Validating session cookies
    4. 4.4 Preventing Cross-Site Request Forgery attacks
      1. 4.4.1 SameSite cookies
      2. 4.4.2 Hash-based double-submit cookies
      3. 4.4.3 Double-submit cookies for the Natter API
    5. 4.5 Building the Natter login UI
      1. 4.5.1 Calling the login API from JavaScript
    6. 4.6 Implementing logout
    7. Answers to pop quiz questions
    8. Summary
  11. 5 Modern token-based authentication
    1. 5.1 Allowing cross-domain requests with CORS
      1. 5.1.1 Preflight requests
      2. 5.1.2 CORS headers
      3. 5.1.3 Adding CORS headers to the Natter API
    2. 5.2 Tokens without cookies
      1. 5.2.1 Storing token state in a database
      2. 5.2.2 The Bearer authentication scheme
      3. 5.2.3 Deleting expired tokens
      4. 5.2.4 Storing tokens in Web Storage
      5. 5.2.5 Updating the CORS filter
      6. 5.2.6 XSS attacks on Web Storage
    3. 5.3 Hardening database token storage
      1. 5.3.1 Hashing database tokens
      2. 5.3.2 Authenticating tokens with HMAC
      3. 5.3.3 Protecting sensitive attributes
    4. Answers to pop quiz questions
    5. Summary
  12. 6 Self-contained tokens and JWTs
    1. 6.1 Storing token state on the client
      1. 6.1.1 Protecting JSON tokens with HMAC
    2. 6.2 JSON Web Tokens
      1. 6.2.1 The standard JWT claims
      2. 6.2.2 The JOSE header
      3. 6.2.3 Generating standard JWTs
      4. 6.2.4 Validating a signed JWT
    3. 6.3 Encrypting sensitive attributes
      1. 6.3.1 Authenticated encryption
      2. 6.3.2 Authenticated encryption with NaCl
      3. 6.3.3 Encrypted JWTs
      4. 6.3.4 Using a JWT library
    4. 6.4 Using types for secure API design
    5. 6.5 Handling token revocation
      1. 6.5.1 Implementing hybrid tokens
    6. Answers to pop quiz questions
    7. Summary
  13. Part 3. Authorization
  14. 7 OAuth2 and OpenID Connect
    1. 7.1 Scoped tokens
      1. 7.1.1 Adding scoped tokens to Natter
      2. 7.1.2 The difference between scopes and permissions
    2. 7.2 Introducing OAuth2
      1. 7.2.1 Types of clients
      2. 7.2.2 Authorization grants
      3. 7.2.3 Discovering OAuth2 endpoints
    3. 7.3 The Authorization Code grant
      1. 7.3.1 Redirect URIs for different types of clients
      2. 7.3.2 Hardening code exchange with PKCE
      3. 7.3.3 Refresh tokens
    4. 7.4 Validating an access token
      1. 7.4.1 Token introspection
      2. 7.4.2 Securing the HTTPS client configuration
      3. 7.4.3 Token revocation
      4. 7.4.4 JWT access tokens
      5. 7.4.5 Encrypted JWT access tokens
      6. 7.4.6 Letting the AS decrypt the tokens
    5. 7.5 Single sign-on
    6. 7.6 OpenID Connect
      1. 7.6.1 ID tokens
      2. 7.6.2 Hardening OIDC
      3. 7.6.3 Passing an ID token to an API
    7. Answers to pop quiz questions
    8. Summary
  15. 8 Identity-based access control
    1. 8.1 Users and groups
      1. 8.1.1 LDAP groups
    2. 8.2 Role-based access control
      1. 8.2.1 Mapping roles to permissions
      2. 8.2.2 Static roles
      3. 8.2.3 Determining user roles
      4. 8.2.4 Dynamic roles
    3. 8.3 Attribute-based access control
      1. 8.3.1 Combining decisions
      2. 8.3.2 Implementing ABAC decisions
      3. 8.3.3 Policy agents and API gateways
      4. 8.3.4 Distributed policy enforcement and XACML
      5. 8.3.5 Best practices for ABAC
    4. Answers to pop quiz questions
    5. Summary
  16. 9 Capability-based security and macaroons
    1. 9.1 Capability-based security
    2. 9.2 Capabilities and REST
      1. 9.2.1 Capabilities as URIs
      2. 9.2.2 Using capability URIs in the Natter API
      3. 9.2.3 HATEOAS
      4. 9.2.4 Capability URIs for browser-based clients
      5. 9.2.5 Combining capabilities with identity
      6. 9.2.6 Hardening capability URIs
    3. 9.3 Macaroons: Tokens with caveats
      1. 9.3.1 Contextual caveats
      2. 9.3.2 A macaroon token store
      3. 9.3.3 First-party caveats
      4. 9.3.4 Third-party caveats
    4. Answers to pop quiz questions
    5. Summary
  17. Part 4. Microservice APIs in Kubernetes
  18. 10 Microservice APIs in Kubernetes
    1. 10.1 Microservice APIs on Kubernetes
    2. 10.2 Deploying Natter on Kubernetes
      1. 10.2.1 Building H2 database as a Docker container
      2. 10.2.2 Deploying the database to Kubernetes
      3. 10.2.3 Building the Natter API as a Docker container
      4. 10.2.4 The link-preview microservice
      5. 10.2.5 Deploying the new microservice
      6. 10.2.6 Calling the link-preview microservice
      7. 10.2.7 Preventing SSRF attacks
      8. 10.2.8 DNS rebinding attacks
    3. 10.3 Securing microservice communications
      1. 10.3.1 Securing communications with TLS
      2. 10.3.2 Using a service mesh for TLS
      3. 10.3.3 Locking down network connections
    4. 10.4 Securing incoming requests
    5. Answers to pop quiz questions
    6. Summary
  19. 11 Securing service-to-service APIs
    1. 11.1 API keys and JWT bearer authentication
    2. 11.2 The OAuth2 client credentials grant
      1. 11.2.1 Service accounts
    3. 11.3 The JWT bearer grant for OAuth2
      1. 11.3.1 Client authentication
      2. 11.3.2 Generating the JWT
      3. 11.3.3 Service account authentication
    4. 11.4 Mutual TLS authentication
      1. 11.4.1 How TLS certificate authentication works
      2. 11.4.2 Client certificate authentication
      3. 11.4.3 Verifying client identity
      4. 11.4.4 Using a service mesh
      5. 11.4.5 Mutual TLS with OAuth2
      6. 11.4.6 Certificate-bound access tokens
    5. 11.5 Managing service credentials
      1. 11.5.1 Kubernetes secrets
      2. 11.5.2 Key and secret management services
      3. 11.5.3 Avoiding long-lived secrets on disk
      4. 11.5.4 Key derivation
    6. 11.6 Service API calls in response to user requests
      1. 11.6.1 The phantom token pattern
      2. 11.6.2 OAuth2 token exchange
    7. Answers to pop quiz questions
    8. Summary
  20. Part 5. APIs for the Internet of Things
  21. 12 Securing IoT communications
    1. 12.1 Transport layer security
      1. 12.1.1 Datagram TLS
      2. 12.1.2 Cipher suites for constrained devices
    2. 12.2 Pre-shared keys
      1. 12.2.1 Implementing a PSK server
      2. 12.2.2 The PSK client
      3. 12.2.3 Supporting raw PSK cipher suites
      4. 12.2.4 PSK with forward secrecy
    3. 12.3 End-to-end security
      1. 12.3.1 COSE
      2. 12.3.2 Alternatives to COSE
      3. 12.3.3 Misuse-resistant authenticated encryption
    4. 12.4 Key distribution and management
      1. 12.4.1 One-off key provisioning
      2. 12.4.2 Key distribution servers
      3. 12.4.3 Ratcheting for forward secrecy
      4. 12.4.4 Post-compromise security
    5. Answers to pop quiz questions
    6. Summary
  22. 13 Securing IoT APIs
    1. 13.1 Authenticating devices
      1. 13.1.1 Identifying devices
      2. 13.1.2 Device certificates
      3. 13.1.3 Authenticating at the transport layer
    2. 13.2 End-to-end authentication
      1. 13.2.1 OSCORE
      2. 13.2.2 Avoiding replay in REST APIs
    3. 13.3 OAuth2 for constrained environments
      1. 13.3.1 The device authorization grant
      2. 13.3.2 ACE-OAuth
    4. 13.4 Offline access control
      1. 13.4.1 Offline user authentication
      2. 13.4.2 Offline authorization
    5. Answers to pop quiz questions
    6. Summary
  23. appendix A. Setting up Java and Maven
    1. A.1 Java and Maven
      1. A.1.1 macOS
      2. A.1.2 Windows
      3. A.1.3 Linux
    2. A.2 Installing Docker
    3. A.3 Installing an Authorization Server
      1. A.3.1 Installing ForgeRock Access Management
    4. A.4 Installing an LDAP directory server
      1. A.4.1 ForgeRock Directory Services
  24. appendix B. Setting up Kubernetes
    1. B.1 MacOS
      1. B.1.1 VirtualBox
      2. B.1.2 Minikube
    2. B.2 Linux
      1. B.2.1 VirtualBox
      2. B.2.2 Minikube
    3. B.3 Windows
      1. B.3.1 VirtualBox
      2. B.3.2 Minikube
  25. index

Product information

  • Title: API Security in Action
  • Author(s): Neil Madden
  • Release date: January 2021
  • Publisher(s): Manning Publications
  • ISBN: 9781617296024