Sitting at your desk, coding away with another cup of your favorite caffeine-infused beverage, you might be thinking to yourself, “it’s true what they say about no rest for the weary.” If you’re developing an app or architecting a cloud-native system, you can actually get the REST you need with the right Application Programming Interface (API). REST APIs provide a scalable, flexible, easy-to-use interface that makes developing and connecting web apps easier.

 

To protect your application and systems, you should know how to secure a REST API and have a way to monitor that security.

What is a REST API?

The Representational State Transfer Application Programming Interface (REST API) enables different systems to communicate and exchange data over the internet. REST APIs use a JavaScript Object Notation (JSON) data format with standard HTTP communication methods like:

  • GET: retrieve a resource
  • POST: modify a resource, including objects, files, or blocks
  • PUT: create a resource
  • DELETE: remove a resource

 

By using these common verbs and status codes, REST APIs provide a uniform interface across diverse applications, supporting all content types.

A RESTful API provides a set of protocols, or rules, for how web applications interact, regardless of their underlying programming language. For example, a REST API enables an e-commerce application written in JavaScript to share data with a database that uses Python.

Since the REST API architecture enables stateless communication between the client, like a user, and the server, it doesn’t store information about current sessions or connections. The application handles:

  • Access
  • Resource manipulation
  • Session management

 

Since REST APIs control how data travels between applications, attackers target them to gain unauthorized access to sensitive data.

Two levels of REST API security

As attackers target APIs, you need to understand the two different attack vectors they create. APIs act as a bridge that enables data to travel between two applications, meaning that attackers can attempt to either:

  • Gain unauthorized access to the API
  • Use the API to identify and target the application

Ensuring secure API access

APIs that connect web applications are exposed to the public internet, meaning that attackers can identify them, look for vulnerabilities, and gain unauthorized access to them. When securing access to APIs, you should consider:

  • Securing the network connection to mitigate risks arising from man-in-the-middle (MitM) and sniffing attacks
  • Implementing appropriate authentication and authorization to protect access to the APIs
  • Clearly specifying and limiting the API request capabilities

 

Protecting applications that expose APIs

RESTful API calls and responses can expose information about the services that they connect to. When securing these APIs, you should consider:

  • Confidential data contained in the URLs, like credentials, API keys, and session tokens, helping mitigate data leakage risks
  • Rejecting all content types by default then adding back specifically permitted ones, helping mitigate injection attack risks
  • Restricting the type and scope of HTTP security headers, helping mitigate cross-site scripting (XSS) and clickjacking risks
  • Rejecting all requests that fail to conform to API specifications

 

Best Practices for REST API Security

To achieve these security outcomes, you can implement some best practices that mitigate risks arising from REST APIs.

Use HTTPS

As a fundamental secure communication protocol, HTTPS employs either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt data transmitted between the application and server. Further, these protocols also help:

  • Verify servers to prevent MitM attacks
  • Ensure data integrity to mitigate tampering during transit

 

Manage HTTP

Since REST APIs use HTTP, you should prevent these protocols from giving away so much information that attackers can use it against you.

Restrict HTTP methods

Your API configurations should limit the types of HTTP verbs allowed. Typically, you want to:

  • Create a specific allow list of methods, like GET, POST, PUT
  • Deny-by-default all other request types, using an HTTP response code “405 Method not allowed”
  • Ensure caller authorization for the resource, action, and record

 

Sensitive information in HTTP requests

REST APIs that contain credential data in the URL can accidentally leak sensitive data, like passwords, security tokens, and API keys. When configuring the API, you should ensure that the API transfers sensitive data in:

  • The request body or headers of POST/PUT requests
  • The HTTP header for GET requests

 

HTTP Return Code

The HTTP return code tells you the results of a client’s request, typically divided into 5 categories:

  • Informational
  • Success
  • Redirection
  • Client error
  • Server error

 

For REST APIs, you can use return codes that tell you about the API’s security. Some examples of these include:

  • 401 Unauthorized: wrong or no authentication provided
  • 403 Forbidden: authentication succeeded but user lacks access permission
  • 429 Too Many Requests: potential Denial of Service (DoS) attack detected

 

Access Control

To protect your REST API, you must verify all clients that request access to the API by implementing:

  • Authentication: verifying that the client is who it say it is
  • Authorization: ensuring it can take the action that it wants to take

 

With APIs, you have the additional challenge that the clients are often technologies not people, so they won’t be able to answer the challenge questions that a multi-factor authentication (MFA) tool asks.

JSON Web Tokens (JWT)

JWTs are digitally signed JSON objects that can be verified and trusted, enabling:

  • Authentication: using public/private key pairs so that the signatures certified the party holding the private key is who it says it is
  • Authorization: passing an access token in every request after the client successfully logs in

 

0Auth 2.0

0Auth2 is a standard that enables you to use a central identify provider and grant time-bound permissions through an access token, enabling:

  • Authentication: client requests an access token using its ID and secret
  • Authorization: access tokens used on subsequent calls to define access

 

API Keys

With API keys, you can associate tokens with users and store them in your database. Problematically, API keys focus primarily on authentication not authorization by generating a key that uniquely identifies users when they sign up for access to the API.

Data Validation

Since attackers can manipulate the HTTP parameters, validating inputs and outputs is critical to securing your REST APIs.

Input validation

Fundamentally, you should never trust any input parameters or objects because attackers can try to manipulate these. Essentially, you should have input specifications that enable you to mitigate risks. Some best practices include:

  • Requirements for strong types like numbers, dates, or fixed data ranges
  • Using regular expressions (regex) to define input patterns
  • Rejecting non-conforming or unexpected inputs
  • Using a validation/sanitation library or framework to define requirements and reduce human error risk
  • Logging input validation failures to document potential attacks
  • Using a secure parser for incoming messages

 

Response validation

While validating inputs protects against attackers trying to get in, validating responses mitigates risks arising from data leaking out. You should ensure that your API responses:

  • Reject and identify requests that fail to conform to defined inputs
  • Include programming language in responses to defend against header injection attacks

Management endpoints

API endpoints are the resources that an API can access, enabling the application to interact with data. To protect these locations, you should:

  • Limit public internet access to endpoints
  • Use MFA if you must make the endpoint accessible
  • Place management endpoints on subnetworks
  • Implement appropriate firewall rules and access control lists

 

Audit logs

To document all REST API activities, you should write audit logs before and after security incidents by consistently formatting and structuring log messages that capture:

  • Request and response details
  • Time and performance metrics
  • Exceptions and errors during processing
  • Authentication and authorization data
  • Business logic and validation rules

 

Graylog API Security: Monitoring REST APIs and providing high-fidelity alerts

 

With Graylog API Security, you can monitor your REST APIs and incorporate their security as part of your overarching program. Our platform organizations APIs by domain, enabling you to align monitoring with the open API specification. Graylog API Security automatically discovers the most common types of attacks and failures, giving you the at-a-glance visibility necessary to prioritize remediation activities without requiring you to have deep technical knowledge about APIs.

 

To see how Graylog API Security can help you monitor your REST API security, contact us today.

Categories

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.