API security is a crucial component of the development process, due to the sensitive nature of the information transferred between applications.
Personal information such as contact details, home address, date of birth, passwords, and bank details are all at risk without sufficient API security protocols in place.
In one of our previous articles, we focused on the fundamentals of API security which will provide you with the necessary context for some of the key terms we will discuss throughout this article.
Here we go through some of the essential protocols required for robust API security.
However, all of the protocols we discuss today are completely useless without providing the employees of your organisation with sufficient cyber security training.
We recommend free online courses such as this one to get started, but there are many alternative options out there that may be more suited to your organisation’s needs.
API security protocols are structured frameworks designed to protect the data and communication processes of APIs.
They cover areas such as authentication, authorization, encryption, and integrity of data transferred through APIs.
Before we further discuss API security protocols, we’re happy to announce the launch of our new API integration platform.
At APIDNA we have been working tirelessly to produce a truly industry changing piece of software, utilising autonomous agents to simplify API integrations.
So click here if you’re interested in trying out our platform today!
OAuth 2.0 For API Security
OAuth (which stands for Open Authorization) is the industry standard for online authorization.
It is commonly used as a way to grant websites or applications limited access to user information without exposing passwords.
OAuth 2.0 works by issuing access and refresh tokens to authorise and authenticate API requests:
Access Tokens: These are short-lived tokens that grant access to resources. They are typically valid for a limited time, ensuring security.
Refresh Tokens: These tokens are long-lived and used to obtain new access tokens once the old ones expire, providing continued access without re-authentication.
Authorization grant types and flows are mechanisms defined by OAuth 2.0 to handle the process of obtaining access tokens.
The grant types and flows are designed to cater to different scenarios, providing flexibility and security in various use cases:
Authorization Code Flow: Used for server-side applications. It involves redirecting the user to the authorization server to obtain an authorization code, which is then exchanged for an access token.
Implicit Flow: Simplified for client-side applications where the access token is issued directly.
Resource Owner Password Credentials Flow: Used when the user trusts the client and can share their credentials directly.
Client Credentials Flow: Suitable for machine-to-machine communication where no user is involved.
JSON Web Tokens (JWT)
JSON Web Tokens (JWT) are a compact and self-contained way of transmitting information between parties as a JSON object.
They are commonly used for secure information exchange and authentication mechanisms in web applications.
A JWT consists of three parts:
Header: The header typically consists of two parts: the type of token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.
Payload: The payload contains the claims, which are statements about an entity (typically, the user) and additional metadata. There are three types of claims: registered, public, and private.
Signature: To create the signature part, you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
JWTs are signed to ensure the token hasn’t been altered, maintaining integrity.
If the data changes, the signature will no longer match, and the token will be invalid.
JWTs can be used to authenticate users by verifying their identity.
Once a user is logged in, every subsequent request will include the JWT.
Since JWTs can contain user roles and permissions, they are useful for controlling access to resources based on user privileges.
JWTs are self-contained, meaning all the information required to verify the token is included within it.
This eliminates the need to store session information on the server.
Due to their JSON format, JWTs are compact and can be easily transmitted via URLs, POST parameters, or inside HTTP headers.
JWTs are language-agnostic, making them interoperable and suitable for various programming environments and frameworks.
Transport Layer Security (TLS)
Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication over a computer network.
TLS evolved from Secure Sockets Layer (SSL) and is the more secure and efficient version used today.
It encrypts the data transmitted between clients and servers, ensuring that any intercepted data remains unreadable to unauthorised parties.
TLS also ensures data integrity by making sure that the data sent and received is not tampered with during transmission, protecting against data corruption and man-in-the-middle attacks.
It provides a mechanism to authenticate the server (and optionally the client) using certificates, ensuring that the parties involved in the communication are who they claim to be.
Let’s break down how TLS works, step-by-step:
Negotiation: The client and server agree on the version of TLS to use and select mutually supported cipher suites.
Authentication: The server presents its digital certificate to the client, proving its identity. The client may also provide a certificate to authenticate itself to the server.
Key Exchange: The client and server use asymmetric encryption to securely exchange keys, which are then used to establish a symmetric session key.
Session Establishment: Once the keys are exchanged, a secure session is established, and further communication is encrypted using symmetric encryption methods.
API Key Management
API keys are unique identifiers used to authenticate requests to an API and ensure that the requests are coming from authorised clients.
Management of these API keys is essential for securing APIs by controlling access and preventing unauthorised use.
Proper management ensures that only authorised clients can access the API, thereby protecting sensitive data and services.
API keys allow for detailed monitoring and tracking of API usage.
This enables organisations to analyse usage patterns, detect anomalies, and identify potential security threats in real time.
Here’s how API key management works:
Key Generation: API keys are generated using a secure algorithm. Each key is unique and should be unpredictable to prevent unauthorised generation.
Key Distribution: Once generated, API keys are securely distributed to authorised clients. This can be done through a secure channel to ensure that the keys are not intercepted during transmission.
Usage: API keys are included in the requests sent to the API. The server validates the key before processing the request, ensuring that it is coming from an authorised source.
Revocation: If an API key is compromised or no longer needed, it can be revoked. This means the key is invalidated, and any request using that key will be denied access to the API.
Rotation: Regularly rotating API keys is a best practice to enhance security. This involves generating new keys and updating clients to use the new keys while invalidating the old ones.
Rate Limiting and Throttling
Rate limiting restricts the number of API requests a user or client can make within a specified timeframe.
This helps prevent malicious activities like DDoS attacks and brute force attempts.
Throttling ensures that resources are distributed fairly among users, preventing a single user from monopolising the API’s capacity.
By controlling the flow of incoming requests, rate limiting and throttling help maintain the stability and performance of backend systems, preventing crashes and slowdowns.
Here’s how rate limiting works:
Fixed Window: In a fixed window rate limiting approach, the number of requests allowed is capped within a fixed time interval, such as 1000 requests per hour. Once the limit is reached, any additional requests within that interval are rejected until the next interval begins.
Sliding Window: The sliding window method is more dynamic, allowing a set number of requests within a rolling time window. This approach provides a more balanced distribution of requests over time.
Token Bucket: The token bucket algorithm allows for bursts of requests up to a certain limit while maintaining an average rate. Tokens are added to the bucket at a steady rate, and each request consumes a token. If the bucket is empty, the request is denied or queued.
Then here’s how throttling works:
Request Queuing: When the number of requests exceeds the allowed rate, additional requests are placed in a queue. They are processed once the rate falls below the threshold, ensuring the backend system isn’t overwhelmed.
Response Delay: Throttling can also involve delaying responses to requests that exceed the rate limit, gradually serving them to maintain system stability.
Conclusion
Securing APIs is crucial for robust and reliable applications.
Key protocols such as OAuth 2.0, JSON Web Tokens (JWT), Transport Layer Security (TLS), API Key Management, and Rate Limiting and Throttling play essential roles in optimising API security.
These protocols ensure secure authentication, data encryption, access control, and fair usage, protecting APIs from various threats.
To enhance your understanding and implementation of these protocols, explore the further reading resources provided below and improve your API security strategies.
Further Reading
Best practices for REST API security: Authentication and authorization – StackOverflow
Introduction to JSON Web Tokens – Okta
What is TLS (Transport Layer Security)? – CloudFlare
Creating and managing API keys – Google
API Rate Limiting vs. API Throttling: How Are They Different? – NordicAPIs