Best Practices for securing a REST API / web service [closed]

Answer 1

You may also want to take a look at OAuth, an emerging open protocol for token-based authorization specifically targeting http apis.

It is very similar to the approach taken by flickr and remember the milk "rest" apis (not necessarily good examples of restful apis, but good examples of the token-based approach).

Answer 2

I searched a lot about restful ws security and we also ended up with using token via cookie from client to server to authenticate the requests . I used spring security for authorization of requests in service because I had to authenticate and authorized each request based on specified security policies that has already been in DB.

Answer 3

There is a great checklist found on Github:

Authentication

• Don't reinvent the wheel in Authentication, token generation, password storage. Use the standards.

• Use Max Retry and jail features in Login.

• Use encryption on all sensitive data.

JWT (JSON Web Token)

• Use a random complicated key (JWT Secret) to make brute forcing the token very hard.

• Don't extract the algorithm from the payload. Force the algorithm in the backend (HS256 or RS256).

• Make token expiration (TTL, RTTL) as short as possible.

• Don't store sensitive data in the JWT payload, it can be decoded easily.

OAuth

• Always validate redirect_uri server-side to allow only whitelisted URLs.

• Always try to exchange for code and not tokens (don't allow response_type=token).

• Use state parameter with a random hash to prevent CSRF on the OAuth authentication process.

• Define the default scope, and validate scope parameters for each application.

Access

• Limit requests (Throttling) to avoid DDoS / brute-force attacks.

• Use HTTPS on server side to avoid MITM (Man In The Middle Attack)

• Use HSTS header with SSL to avoid SSL Strip attack.

Input

• Use the proper HTTP method according to the operation: GET (read), POST (create), PUT/PATCH (replace/update), and DELETE (to delete a record), and respond with 405 Method Not Allowed if the requested method isn't appropriate for the requested resource.

• Validate content-type on request Accept header (Content Negotiation) to allow only your supported format (e.g. application/xml, application/json, etc) and respond with 406 Not Acceptable response if not matched.

• Validate content-type of posted data as you accept (e.g. application/x-www-form-urlencoded, multipart/form-data, application/json, etc).

• Validate User input to avoid common vulnerabilities (e.g. XSS, SQL-Injection, Remote Code Execution, etc).

• Don't use any sensitive data (credentials, Passwords, security tokens, or API keys) in the URL, but use standard Authorization header.

• Use an API Gateway service to enable caching, Rate Limit policies (e.g. Quota, Spike Arrest, Concurrent Rate Limit) and deploy APIs resources dynamically.

Processing

• Check if all the endpoints are protected behind authentication to avoid broken authentication process.

• User own resource ID should be avoided. Use /me/orders instead of /user/654321/orders.

• Don't auto-increment IDs. Use UUID instead.

• If you are parsing XML files, make sure entity parsing is not enabled to avoid XXE (XML external entity attack).

• If you are parsing XML files, make sure entity expansion is not enabled to avoid Billion Laughs/XML bomb via exponential entity expansion attack.

• Use a CDN for file uploads.

• If you are dealing with huge amount of data, use Workers and Queues to process as much as possible in background and return response fast to avoid HTTP Blocking.

• Do not forget to turn the DEBUG mode OFF.

Output

• Send X-Content-Type-Options: nosniff header.

• Send X-Frame-Options: deny header.

• Send Content-Security-Policy: default-src 'none' header.

• Remove fingerprinting headers - X-Powered-By, Server, X-AspNet-Version etc.

• Force content-type for your response, if you return application/json then your response content-type is application/json.

• Don't return sensitive data like credentials, Passwords, security tokens.

• Return the proper status code according to the operation completed. (e.g. 200 OK, 400 Bad Request, 401 Unauthorized, 405 Method Not Allowed, etc).

Answer 4

There are no standards for REST other than HTTP. There are established REST services out there. I suggest you take a peek at them and get a feel for how they work.

For example, we borrowed a lot of ideas from Amazon's S3 REST service when developing our own. But we opted not to use the more advanced security model based on request signatures. The simpler approach is HTTP Basic auth over SSL. You have to decide what works best in your situation.

Also, I highly recommend the book RESTful Web Services from O'reilly. It explains the core concepts and does provide some best practices. You can generally take the model they provide and map it to your own application.

Answer 5

It's been a while but the question is still relevant, though the answer might have changed a bit.

An API Gateway would be a flexible and highly configurable solution. I tested and used KONG quite a bit and really liked what I saw. KONG provides an admin REST API of its own which you can use to manage users.

Express-gateway.io is more recent and is also an API Gateway.

Answer 6

As @Nathan ended up with which is a simple HTTP Header, and some had said OAuth2 and client side SSL certificates. The gist of it is this... your REST API shouldn't have to handle security as that should really be outside the scope of the API.

Instead a security layer should be put on top of it, whether it is an HTTP Header behind a web proxy (a common approach like SiteMinder, Zermatt or even Apache HTTPd), or as complicated as OAuth 2.

The key thing is the requests should work without any end-user interaction. All that is needed is to ensure that the connection to the REST API is authenticated. In Java EE we have the notion of a userPrincipal that can be obtained on an HttpServletRequest. It is also managed in the deployment descriptor that a URL pattern can be secure so the REST API code does not need to check anymore.

In the WCF world, I would use ServiceSecurityContext.Current to get the current security context. You need to configure you application to require authentication.

There is one exception to the statement I had above and that's the use of a nonce to prevent replays (which can be attacks or someone just submitting the same data twice). That part can only be handled in the application layer.