Top 5 OWASP security tips for designing secure REST APIs (2023)

APIs are communication channels that applications can "talk" over. To establish a connection between applications, REST APIs use HTTPS. HTTP requests traverse the API communication channel and carry messages between applications.

Threat actors target REST APIs because they look for data stored in HTTP requests. Threat actors also use APIs to launch attacks such as:

• the man in the middle(MitM): Handles the communication contained in an API message.
• API injections (XSS and SQLi): Inject malicious code (malware or ransomware) into the API code base or into an API message.
• Distributed Denial of Service (DDoS): Repeated calls requesting API connections in rapid succession in an attempt to overload the server and cause an outage. In this article, we provide an overview of API concepts and provide a table of the top OWASP recommendations forREST API security.

What is OWASP?

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to improving software security. They achieve this goal by providing unbiased educational resources for free on their website.

The OWASP website offers a wealth of information including community forums, documentation, videos, and free tools. Among these features you will find theTop 10 OWASP vulnerabilitiesList that has become the business standard.

First published in 2004 (and updated in 2017), the OWASP Top 10 arose from the need to identify the most critical vulnerabilities and prioritize remediation accordingly. While the top 10 list is an essential tool for software security, it is not enough to ensure network security.

An unfortunate misconception is that inclusion in the OWASP Top 10 list is all the security software requires. In reality, today's software is designed for connectivity and as such can easily be breached, which is why OWASP created a REST security cheat sheet.

What is an application programming interface (API)?

Connectivity between applications is achieved through an application programming interface (API), which is software that opens and closes communication channels. The API consists of protocols, tools and routines that enable the extraction and distribution of data.

Internet of Things (IoT) devices use APIs to communicate with each other, the network, the applications they control, and the applications they control. For example, a smart water heater switch cannot remotely control the water heater without using an API. Web apps use web APIs to communicate with each other, the network, and IoT devices.

Connecting a social network account, for example with a gaming application, requires the use of an API. Another example is Chrome extensions, which in order to work with the browser need to connect to the browser's API.

What is a REST API?

Representational State Transfer (REST) ​​is an API implementation approach that uses Hypertext Transfer Protocol (HTTP) to establish connections. The REST API uses HTTP to collect data, transmit data, and coordinate task execution between remote systems.

REST APIs mainly use JSON (JavaScript Object Notation) files to compress and transfer data from one web application to another. JSON files are small, making them easier to transfer, and they're also a standard web file, which means recipients' browsers can read the file without API help.

What is REST security?

For secure communication, REST APIs use Hypertext Transfer Protocol Secure (HTTPS). A Transport Layer Security (TLS) protocol ensures that the connection is private (by encrypting the data), authenticated (using public-key cryptography), and trusted (using a message authentication code).

REST APIs are stateless. To establish a connection, a REST API does not need the client or the server. The HTTP request takes care of this by collecting and storing all the requested information. That means if attackers get access to the HTTP request, they get access to the data.

REST security practices and solutions are responsible for ensuring that every connection made through REST APIs is secured. REST security practices provide guidance for developing and securing APIs (as discussed below), and security solutions support these efforts.

What is the OWASP REST Security Cheat Sheet?

The OWASP REST Security Cheat Sheet is a document that provides best practices for securing the REST API. Each section covers a component of the REST architecture and explains how to do this securely.

The table below summarizes the best practices from the OWASP REST Security Cheat Sheet. For more information, seeofficial documentation.

Implementing the OWASP REST Security Cheat Sheet

Securing your REST API doesn't have to be difficult or time-consuming. Sometimes it's just a matter of assessing your situation and applying appropriate solutions. In the previous section, we reviewed REST security best practices. Now we're providing you with some pro tips to help you secure your APIs.

1. Apply HTTPS-only pattern

HTTPS is enabled through the use of SSL (Secure Sockets Layer) certificates. The first step is to purchase a certificate from your hosting provider. You then need to install the certificate. This is done through the hosting panel and is as simple as following the steps provided by the host.

If you're moving your website to HTTPS only, you'll need to go through your directories (such as client libraries, code samples, and sample apps) and replace HTTP calls with HTTPS. You can do this manually, which will take some time, or you can use onesearch and replaceTool.

2. Using an identity provider (IdP) for tokens

An IdP is a system that controls the process of creating and managing identity information and provides authentication services such as token generation. A token is a meaningless string that represents sensitive and financial information.

The IdP receives a request from the website to tokenize the information. The system stores the information in a safe place and replaces it with a token. The IdP mediates between the user and the website and keeps the information safe in a third-party repository. You can find a list of IdPsHere.

3. Cryptographic signatures for JWT

Digital signatures provide integrity, authentication, and non-repudiation, making them ideal for token issuance. You can delegate the token generation task to an IdP (as explained above) or do it manually with a verified OAuth 2.0 server.

He canbuildFor your own OAuth server, use theOAuthServer sponsored by OKTA and you can use an open source solution. Before committing to any path, take an honest look at your situation and make sure you have the skills and resources to go it alone.

4. Add HTTP return code 429 for many requests

The purpose of the 429 return code is to prevent repeated API requests. It's up to you to determine how many requests are too many at any given time, but this return code is mandatory. It provides a mechanism to carry out DDoS attacks that can cause system failure.

Here is an example code 429 fromRFCDocumentation:

Remember: never use a cache to store 429 (!)

5. Use Cross-Origin Resource Sharing (CORS) to restrict HTTP methods

CORS is a technique that provides controls for resource sharing. This means that CORS lets you configure when to grant or deny access to HTTP methods, when to restrict it, and what credentials and origins are allowed.

Make sure you research the topic and configure your CORS properly. You can find a tutorialHere, OfHere. If you don't want to create from scratch you can useThat's itOpen source CORS proxy. make surecourt hearingcode before you run it to ensure it's as bug-free as possible.

It's a wrap!

In today's hyper-connected world, almost no system works without an API. Networks, web applications, and IoT devices rely on your APIs to communicate. Without an API, an IoT device loses its meaning. A web application cannot access data without an API, and endpoints cannot connect to networks without APIs.

REST APIs are responsible for communication between web applications. Since most systems run web applications, insecure REST APIs can lead to security breaches. A threat actor can cause a lot of damage simply by hacking a REST API. To avoid REST API breach, implement OWASP REST security best practices and keep your APIs as secure as possible.

Author's biography

Gilad David Maayan is a technology writer who has worked with over 150 technology companies, including SAP, Samsung NEXT, NetApp and Imperva, creating technical and trend-setting content that spotlights technical solutions for developers and IT leaders.

Linkedin:https://www.linkedin.com/in/giladdavidmaayan/