Building a security layer around your RESTful APIs

Description

Modern architectures are distributed and built on a layer of services. They expose data that’s very valuable to its owner and to potential bad actors. The services can expose sensitive transactional data. However, we often “secure” these services using an API key or security through obscurity. Scary as that may sound, there are solutions that can secure these services.

When designing a security solution, you must ask four key questions:

• Are the requests coming from an authorized client?
• Are the requests valid and unmodified?
• Are you protecting against replay attacks?
• Does the solution work for authenticated and nonauthenticated users?

A success solution will answer yes to all four.

Many clients request services through JavaScript code in a browser. JavaScript by definition is exposed to the browser and thus anyone can read, copy, and execute the code. The security discussed here cannot expose its algorithm or secrets in the code. Many organizations use API keys to secure their services. This isn’t security; it’s no more secure than a padlock with a key that can be copied and distributed. There are several other solutions to the problem including time-based one-time passwords (TOTPs) and JSON web tokens (JWTs) with signature service.

James Wallace digs into the what and how of securing RESTful API requests. You’ll learn the four things that must be secure and explore several solutions to this security problem.