Top 5 OWASP security tips for designing secure REST APIs (2023)

APIs are communication channels that applications can "talk" over. To establish a connection between applications, REST APIs use HTTPS. HTTP requests traverse the API communication channel and carry messages between applications.

Threat actors target REST APIs because they look for data stored in HTTP requests. Threat actors also use APIs to launch attacks such as:

  • the man in the middle(MitM): Handles the communication contained in an API message.
  • API injections (XSS and SQLi): Inject malicious code (malware or ransomware) into the API code base or into an API message.
  • Distributed Denial of Service (DDoS): Repeated calls requesting API connections in rapid succession in an attempt to overload the server and cause an outage. In this article, we provide an overview of API concepts and provide a table of the top OWASP recommendations forREST API security.

What is OWASP?

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to improving software security. They achieve this goal by providing unbiased educational resources for free on their website.

The OWASP website offers a wealth of information including community forums, documentation, videos, and free tools. Among these features you will find theTop 10 OWASP vulnerabilitiesList that has become the business standard.

First published in 2004 (and updated in 2017), the OWASP Top 10 arose from the need to identify the most critical vulnerabilities and prioritize remediation accordingly. While the top 10 list is an essential tool for software security, it is not enough to ensure network security.

An unfortunate misconception is that inclusion in the OWASP Top 10 list is all the security software requires. In reality, today's software is designed for connectivity and as such can easily be breached, which is why OWASP created a REST security cheat sheet.

What is an application programming interface (API)?

Connectivity between applications is achieved through an application programming interface (API), which is software that opens and closes communication channels. The API consists of protocols, tools and routines that enable the extraction and distribution of data.

Internet of Things (IoT) devices use APIs to communicate with each other, the network, the applications they control, and the applications they control. For example, a smart water heater switch cannot remotely control the water heater without using an API. Web apps use web APIs to communicate with each other, the network, and IoT devices.

Connecting a social network account, for example with a gaming application, requires the use of an API. Another example is Chrome extensions, which in order to work with the browser need to connect to the browser's API.

What is a REST API?

Representational State Transfer (REST) ​​is an API implementation approach that uses Hypertext Transfer Protocol (HTTP) to establish connections. The REST API uses HTTP to collect data, transmit data, and coordinate task execution between remote systems.

REST APIs mainly use JSON (JavaScript Object Notation) files to compress and transfer data from one web application to another. JSON files are small, making them easier to transfer, and they're also a standard web file, which means recipients' browsers can read the file without API help.

What is REST security?

For secure communication, REST APIs use Hypertext Transfer Protocol Secure (HTTPS). A Transport Layer Security (TLS) protocol ensures that the connection is private (by encrypting the data), authenticated (using public-key cryptography), and trusted (using a message authentication code).

REST APIs are stateless. To establish a connection, a REST API does not need the client or the server. The HTTP request takes care of this by collecting and storing all the requested information. That means if attackers get access to the HTTP request, they get access to the data.

REST security practices and solutions are responsible for ensuring that every connection made through REST APIs is secured. REST security practices provide guidance for developing and securing APIs (as discussed below), and security solutions support these efforts.

What is the OWASP REST Security Cheat Sheet?

The OWASP REST Security Cheat Sheet is a document that provides best practices for securing the REST API. Each section covers a component of the REST architecture and explains how to do this securely.

The table below summarizes the best practices from the OWASP REST Security Cheat Sheet. For more information, seeofficial documentation.

Component from the REST API Definition recommended course of action
HTTPS A security protocol for communication between web applications. Protect authentication data in transit by only providing HTTPS endpoints and add additional security with mutually authenticated client-side certificates
access control A security method of regulating which users or systems access a device, software, or resource Use an identity provider (IdP) to generate authentication tokens and localize access control decisions for REST endpoints
Token-Web-JSON (JWT) A standard format for security tokens that contain authentication claims Always protect the integrity of the JWT with cryptographic or MAC signatures. Prefer signatures whenever possible and always use standardized assertions
API key A unique sequence of Request an API key for each request, use characters that authenticate API requests, and then make or deny the call Require an API key for every request, use HTTP return code 429 for many requests, and remove API keys from clients violating the user agreement
HTTP-Methode A set of request methods (also known as verbs) that implement the action that fulfills an HTTP request. Restrict HTTP methods using method whitelists, enforce 405 return code for rejected methods, and authenticate caller method privileges.

Implementing the OWASP REST Security Cheat Sheet

Securing your REST API doesn't have to be difficult or time-consuming. Sometimes it's just a matter of assessing your situation and applying appropriate solutions. In the previous section, we reviewed REST security best practices. Now we're providing you with some pro tips to help you secure your APIs.

1. Apply HTTPS-only pattern

HTTPS is enabled through the use of SSL (Secure Sockets Layer) certificates. The first step is to purchase a certificate from your hosting provider. You then need to install the certificate. This is done through the hosting panel and is as simple as following the steps provided by the host.

If you're moving your website to HTTPS only, you'll need to go through your directories (such as client libraries, code samples, and sample apps) and replace HTTP calls with HTTPS. You can do this manually, which will take some time, or you can use onesearch and replaceTool.

2. Using an identity provider (IdP) for tokens

An IdP is a system that controls the process of creating and managing identity information and provides authentication services such as token generation. A token is a meaningless string that represents sensitive and financial information.

The IdP receives a request from the website to tokenize the information. The system stores the information in a safe place and replaces it with a token. The IdP mediates between the user and the website and keeps the information safe in a third-party repository. You can find a list of IdPsHere.

3. Cryptographic signatures for JWT

Digital signatures provide integrity, authentication, and non-repudiation, making them ideal for token issuance. You can delegate the token generation task to an IdP (as explained above) or do it manually with a verified OAuth 2.0 server.

He canbuildFor your own OAuth server, use theOAuthServer sponsored by OKTA and you can use an open source solution. Before committing to any path, take an honest look at your situation and make sure you have the skills and resources to go it alone.

4. Add HTTP return code 429 for many requests

The purpose of the 429 return code is to prevent repeated API requests. It's up to you to determine how many requests are too many at any given time, but this return code is mandatory. It provides a mechanism to carry out DDoS attacks that can cause system failure.

Here is an example code 429 fromRFCDocumentation:

Top 5 OWASP security tips for designing secure REST APIs (1)

Remember: never use a cache to store 429 (!)

5. Use Cross-Origin Resource Sharing (CORS) to restrict HTTP methods

CORS is a technique that provides controls for resource sharing. This means that CORS lets you configure when to grant or deny access to HTTP methods, when to restrict it, and what credentials and origins are allowed.

Make sure you research the topic and configure your CORS properly. You can find a tutorialHere, OfHere. If you don't want to create from scratch you can useThat's itOpen source CORS proxy. make surecourt hearingcode before you run it to ensure it's as bug-free as possible.

It's a wrap!

In today's hyper-connected world, almost no system works without an API. Networks, web applications, and IoT devices rely on your APIs to communicate. Without an API, an IoT device loses its meaning. A web application cannot access data without an API, and endpoints cannot connect to networks without APIs.

REST APIs are responsible for communication between web applications. Since most systems run web applications, insecure REST APIs can lead to security breaches. A threat actor can cause a lot of damage simply by hacking a REST API. To avoid REST API breach, implement OWASP REST security best practices and keep your APIs as secure as possible.

Author's biography

Gilad David Maayan is a technology writer who has worked with over 150 technology companies, including SAP, Samsung NEXT, NetApp and Imperva, creating technical and trend-setting content that spotlights technical solutions for developers and IT leaders.



Top 5 OWASP security tips for designing secure REST APIs? ›

Every web API should use TLS (Transport Layer Security). TLS protects the information your API sends (and the information that users send to your API) by encrypting your messages while they're in transit. You might know TLS by its predecessor's name, SSL.

How to design secure REST API? ›

Here are some good practices to ensure a robust and secure REST API implementation.
  1. Implement Authentication. You should always be aware of who is calling your APIs. ...
  2. Use TLS (HTTPS) ...
  3. Validate API Parameters. ...
  4. Rate Limiting. ...
  5. Implement Content Types. ...
  6. Restrict Access to Resources. ...
  7. Use Pagination.
May 13, 2022

How do you keep REST APIs secure? ›

2. Best Practices to Secure REST APIs
  1. 2.1. Keep it Simple. Secure an API/System – just how secure it needs to be. ...
  2. 2.2. Always Use HTTPS. ...
  3. 2.3. Use Password Hash. ...
  4. 2.4. Never expose information on URLs. ...
  5. 2.5. Consider OAuth. ...
  6. 2.6. Consider Adding Timestamp in Request. ...
  7. 2.7. Input Parameter Validation.
Dec 30, 2022

What security protocols do you use while designing a REST API? ›

Every web API should use TLS (Transport Layer Security). TLS protects the information your API sends (and the information that users send to your API) by encrypting your messages while they're in transit. You might know TLS by its predecessor's name, SSL.

How do I secure my REST API using proven best practices? ›

API security best practices
  1. Authenticate and authorize. ...
  2. Implement access control. ...
  3. Encrypt requests and responses. ...
  4. Validate the data. ...
  5. Assess your API risks. ...
  6. Share only necessary information. ...
  7. Choose your web services API. ...
  8. Record APIs in an API registry.
Oct 18, 2022

Which authentication is most secure for REST API? ›

4 Secure API Authentication Methods
  1. API Keys. API Keys are secret tokens used to authenticate API requests. ...
  2. OAuth 2.0. OAuth 2.0 is an authorization protocol that gives API users access to a service without sharing their passwords. ...
  3. HTTP Authentication Schemes (Basic & Bearer) ...
  4. JWT Authentication (JSON Web Token)
Feb 1, 2023

How to secure a REST API using JWT? ›

  1. Make sure that the JWT authentication is enabled for REST APIs by setting the value of servlet. jwt. auth. ...
  2. The incoming HTTP request for REST API call must contain the request header “Authorization” with scheme “Bearer” followed by JWT. The signature of the token and expiration date is verified by the system.

How to secure REST API without authentication? ›

Encryption — Having encryption enabled on the API and using https using TLS secures the channel as well as the information sent. Rate limiting and throttling — Limiting the number of requests coming into an API helps prevent abuse.

How to secure REST API in microservices? ›

8 Ways to Secure Your Microservices Architecture
  1. Make your microservices architecture secure by design. ...
  2. Scan for dependencies. ...
  3. Use HTTPS everywhere. ...
  4. Use access and identity tokens. ...
  5. Encrypt and protect secrets. ...
  6. Slow down attackers. ...
  7. Know your cloud and cluster security. ...
  8. Cover your security bases.

How to secure REST API with HTTPS? ›

  1. Configure the integration server or integration node to use SSL. ...
  2. In the Application Development view, which is under the REST API project, open the REST API Description for the REST API for which you want to enable HTTPS.
  3. Under Security Options, select Enable HTTPS in the REST API Description.

How to secure REST API with Basic authentication? ›

  1. Concatenate the user name with a colon, and the password. ...
  2. Encode this user name and password string in base64 encoding.
  3. Include this encoded user name and password in an HTTP Authorization: Basic header.

How to encrypt REST API data? ›

Use HTTPS. One of the simplest and most effective ways to secure and encrypt your API data and traffic is to use HTTPS, or Hypertext Transfer Protocol Secure. HTTPS is a protocol that adds a layer of encryption and authentication to the standard HTTP protocol.

What encryption does REST API use? ›

For instance, REST APIs use HTTP and support Transport Layer Security (TLS) encryption, a standard encryption that keeps your internet connection secure, and checks that the data shared between the two systems and APIs are encrypted and unmodified.

What are 10 best practices that can be applied when designing a REST API provide sufficient detail for each of the best practices? ›

REST API Design Best Practices
  • Use JSON as the Format for Sending and Receiving Data. ...
  • Use Nouns Instead of Verbs in Endpoints. ...
  • Name Collections with Plural Nouns. ...
  • Use Status Codes in Error Handling. ...
  • Use Nesting on Endpoints to Show Relationships. ...
  • Use Filtering, Sorting, and Pagination to Retrieve the Data Requested.
Sep 16, 2021

What are API security controls? ›

Application programming interface (API) security refers to the practice of preventing or mitigating attacks on APIs. APIs work as the backend framework for mobile and web applications. Therefore, it is critical to protect the sensitive data they transfer.

Which is the most secure way to use an API key? ›

Before sharing your API key, regenerate it and label it as the newest shared key. Don't share API keys through email. Always use HTTPS/SSL for your API requests — some APIs won't field your request if you're not using it. Assign a unique API key to each project and label them accordingly.

Which three authentication mechanisms are used in REST API? ›

Common REST API Authentication Methods Explained
  • Username & Password Authentication. One of the most common authentication methods used by REST APIs is username and password authentication. ...
  • JWT Authentication. ...
  • OAuth2 Authentication.
Apr 21, 2021

How do I pass credentials in REST API? ›

The client must create a POST call and pass the user name, password, and authString in the Request headers using the /x-www-form-urlencoded content type. The AR System server then performs the normal authentication mechanisms to validate the credentials.

Which API is more secure SOAP API or REST API? ›

While REST is faster than SOAP and makes things easier, we have to admit that SOAP is more secure. Both SOAP and REST can use SSL or Secured Socket Layer for protecting the data during the API call request. However, SOAP goes an extra mile and supports Web Services Security as well.

Is JWT good for API authentication? ›

Summary​ Both JWT authentication and API Key authentication are good options when building a secure API. Each has benefits and drawbacks. JWT authentication is standardized and there are libraries you can use to implement API key authentication quickly.

Is JWT secure over HTTP? ›

Information exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be certain that the senders are who they say they are. Additionally, the structure of a JWT allows you to verify that the content hasn't been tampered with.

Should JWT be stored securely? ›

A JWT needs to be stored in a safe place inside the user's browser. If you store it inside localStorage, it's accessible by any script inside your page. This is as bad as it sounds; an XSS attack could give an external attacker access to the token.

How to secure API without API Manager? ›

The basic idea follows the following steps:
  1. Add client_id and clident_secret traits in your RAML.
  2. Create an auth flow that will validate client id and secret.
  3. Add a flow reference just after the listener component of the API interface.
  4. Add expected client id and client secret in a properties file in an encrypted format.
May 11, 2021

What is the difference between authentication and authorization in REST API? ›

Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights.

How do I ensure no one can access site data via REST API? ›

To block access to users' data and to stop user enumeration via REST API you need to enable the Block access to users' data via REST API setting on the Hardening tab. This security feature is designed to detect and prevent hackers from scanning your site for user logins and sensitive users' data.

How to call REST API protected with SSL? ›

Follow the steps given below to configure REST API for HTTPS connection.
  1. Import the existing signed primary certificate into an existing Java keystore: ...
  2. Obfuscate the SSL connector keystore password for greater security. ...
  3. Update the jetty-http. ...
  4. Restart the AR System server.
Jul 18, 2022

How many ways to secure REST API in Spring Boot? ›

Yours will look slightly different depending on the IDE you use.
  1. Configure Spring Security. ...
  2. Configure Authorization Server. ...
  3. Configure the Resource Server. ...
  4. Configure a Data Source. ...
  5. Database Scripts and Test Data. ...
  6. Entities. ...
  7. Exposing Resources via a REST Controller. ...
  8. Running and Testing the Application.

Which of these is a technique to secure Microservices rest? ›

A key aspect of microservice security is protection against unauthorized access. It is necessary to use standards-based identity and access management (IAM) for user authentication, such as SAML, WS-Fed or the OpenID Connect/OAuth2 standards. Multi-factor authentication (MFA) should also be added as a security measure.

Does a REST API need SSL? ›

Any server which is ready to serve the internet will need to expose services or REST APIs. The server must have some certificate, preferably from a certificate authority. These will be SSL (secure sockets layer) or TSL (transport layer security) certificates on the internet.

What is the difference between REST API and HTTPS API? ›

REST APIs support more features than HTTP APIs, while HTTP APIs are designed with minimal features so that they can be offered at a lower price. Choose REST APIs if you need features such as API keys, per-client throttling, request validation, AWS WAF integration, or private API endpoints.

How do I protect public API endpoints? ›

API Security Best Practices
  1. Implement authentication.
  2. Implement authorization.
  3. Validate all requests.
  4. Encrypt all requests and responses.
  5. Only include necessary information in responses.
  6. Throttle API requests and establish quotas.
  7. Log API activity.
  8. Conduct security tests.
Sep 24, 2021

How to secure REST API using Spring security? ›

>> Spring WebFlux users, move to this post.
  1. Get the JWT based token from the authentication endpoint, eg /auth/signin .
  2. Extract token from the authentication result.
  3. Set the HTTP header Authorization value as Bearer jwt_token .
  4. Then send a request to access the protected resources.

How authentication is done in REST API? ›

Authentication is typically done by requiring the client to provide some form of credentials – such as a user name and password, an OAuth token, or a JSON Web Token (JWT). As an API owner, you can implement authentication in Apigee using policies.

What is the best encryption standard for data at rest? ›

Best Encryption Algorithms
  • AES. The Advanced Encryption Standard (AES) is the trusted standard algorithm used by the United States government, as well as other organizations. ...
  • Triple DES. ...
  • RSA. ...
  • Blowfish. ...
  • Twofish. ...
  • Rivest-Shamir-Adleman (RSA).

How HTTPS works in REST API? ›

With HTTPS, every packet transferred between client and server is encrypted using Asymmetric Cryptography: data is encrypted using the Public Key distributed. Only the holder of the paired Private Key can decrypt the data. This asymmetric key encryption is much stronger and tougher to crack.

Should REST API use HTTPS? ›

Introduction. All APIs should use and require HTTPS to help guarantee confidentiality, authenticity, and integrity. HTTPS provides a stronger guarantee that a client is communicating with the real API and receiving back authentic contents. It also enhances privacy for applications and users using the API.

What are the types of API security? ›

Common API authentication methods
  • HTTP basic authentication. If a simple form of HTTP authentication is all an app or service requires, HTTP basic authentication might be a good fit. ...
  • API access tokens. ...
  • OAuth with OpenID. ...
  • SAML federated identity.


Top Articles
Latest Posts
Article information

Author: Van Hayes

Last Updated: 09/11/2023

Views: 6192

Rating: 4.6 / 5 (66 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Van Hayes

Birthday: 1994-06-07

Address: 2004 Kling Rapid, New Destiny, MT 64658-2367

Phone: +512425013758

Job: National Farming Director

Hobby: Reading, Polo, Genealogy, amateur radio, Scouting, Stand-up comedy, Cryptography

Introduction: My name is Van Hayes, I am a thankful, friendly, smiling, calm, powerful, fine, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.