Checklist of the most important security countermeasures when designing,testing, and releasing your API.
- Don't use
Basic AuthUse standard authentication (e.g. JWT , OAuth). - Don't reinvent the wheel in
Authentication,token generating,password storinguse the standards.
- Use random complicated key (
JWT Secret) to make brute forcing token very hard. - Don't extract the algorithm from the payload. Force algorithm in the backend (
HS256orRS256). - Make token expiration (
TTL,RTTL) short as possible. - Don't store sensetive data in the JWT payload, it can be decoded easily.
- Always validate
redirect_urion server side to allow only whitelisted urls. - Always try to exchange for code not tokens (don't allow
response_type=token). - Use
stateparameter with random hash to prevent CSRF on OAuth authentication process. - Define default scope , and validate scope parameter for each application.
- Limit requests (Throttling) to avoid DDoS / Bruteforce attacks.
- Use HTTPS on server side to avoid MITM.
- Use
HSTSheader with SSL to avoid SSL Strip attack.
- Use proper HTTP method according to operation ,
GET (read),POST (create),PUT (replace/update)andDELETE (to delete a record). - Validate
content-typeon request Accept header ( Content Negotiation ) to allow only your supported format (e.g.application/xml,application/json... etc) and respond with406 Not Acceptableresponse if not matched. - Validate
content-typeof posted data as you accept (e.g.application/x-www-form-urlencoded,multipart/form-data ,application/json... etc ). - Validate User input to avoid common vulnerabilities (e.g.
XSS,SQL-Injection,Remote Code Execution... etc). - Don't use any sensetive data (
credentials,Passwords,security tokens, orAPI keys) in the URL, but use standard Authorization header.
- Check if all endpoint protected behind the authentication to avoid broken authentication.
- User own resource id should be avoided. Use
/me/ordersinstead of/user/654321/orders - Don't use auto increment id's use
UUIDinstead. - If you are parsing XML files , make sure entity parsing is not enable to avoid
XXE. - Use CDN for file uploads.
- If you are dealing with huge amount of data , use Workers and Queues to return response fast to avoid HTTP Blocking.
- Do not forget and leave the DEBUG mode on.
- Send
X-Content-Type-Options: nosniffheader. - Send
X-Frame-Options: denyheader. - Force
content-typefor your response , if you returnapplication/jsonthen your responsecontent-typeisapplication/json. - Don't return sensetive data like
credentials,Passwords,security tokens. - Return proper status code according to operation you done. (e.g.
200 OK,400 Bad Request,401 Unauthorized,405 Method Not Allowed... etc).
Feel free to contribute , fork -> edit -> submit pull request. For any questions drop us an email at team@shieldfy.io.