📒
Blog | Lattice Innovations
  • Home
    • Population-scale health
      • Part I: Conceptual framework
      • Part II: Model design
      • Part III: Enabling the model to function, using software
    • Focused factories
    • Common sense
    • Authorization equals consent
    • Offline-first peer-to-peer payment
    • Finding the critical path
    • API security
  • Process improvement consulting
    • Context and Objective
    • Observations
    • Recommendations
    • Conclusion
    • Annexures
  • Back to website
Powered by GitBook
On this page
  • Common API vulnerabilities
  • Distributed Denial of service
  • SQL Injections and Data Attacks
  • API security best practices
  • Authenticate
  • Use API gateways
  • Validate inputs
  • Prevent improper entry attempts
  • Limit requests (Throttling)
  • Output data
  1. Home

API security

October 14, 2022 | Anoop K Singh

Common API vulnerabilities

Distributed Denial of service

API DDoS attacks are executed to overload an API service. Since each hacker sends normal traffic volumes, these attacks are difficult to detect.

SQL Injections and Data Attacks

With the right credentials, insiders and hackers can access any system or data. Examples include Data Extraction or Theft, Data Deletion or Manipulation, Data Injection, Malicious Code Injection, and Extreme Application Activity.

API security best practices

Authenticate

One of the most crucial components of API security is authentication. Always use secure authentication techniques like JWT or OAuth to confirm user identity.

Simple HTTP authentication should never be used as it sends fields without encryption.

Use API gateways

Always place an API behind a gateway. Since API gateways consolidate both security-related activities and useful business-related operations, this has various advantages.

Rate limitation, barring malicious clients, are all characteristics of API gateways.

Validate inputs

Specify the acceptable inputs in your API documentation.

Prior to doing any server-side data modification or writing data to the database, don’t forget to verify every input.

Prevent improper entry attempts

They can be:

  • Remote Code Execution (RCE)

  • SQL Injection

  • Cross-Site Scripting (XSS)

Sending API keys or other sensitive data in the URL is not advised. Always use the Authorization header for them.

Limit requests (Throttling)

You may avoid DoS/brute-force attacks by limiting the number of queries sent.

Unfortunately, DDoS assaults don’t respond well to this technique.

Output data

Only the relevant info should be returned. Take care not to return any delicate information, such as API keys or passwords.

Remove the x-powered-by and server headers from your HTTP response. Potential hackers may receive information from them.

Photo credit: Arthur Mazi on Unsplash

This blog first appeared on Medium, with the title "Most Commonly Known API Vulnerabilities And API Security Best Practices".

PreviousFinding the critical pathNextProcess improvement consulting

Last updated 1 day ago

Page cover image