Sitting at your desk, coding away with another cup of your favorite caffeine-infused beverage, you might be thinking to yourself, “it’s true what they say about no rest for the weary.” If you’re developing an app or architecting a cloud-native system, you can actually get the REST you need with the right Application Programming Interface (API). REST APIs provide a scalable, flexible, easy-to-use interface that makes developing and connecting web apps easier.
To protect your application and systems, you should know how to secure a REST API and have a way to monitor that security.
What is a REST API?
- GET: retrieve a resource
- POST: modify a resource, including objects, files, or blocks
- PUT: create a resource
- DELETE: remove a resource
By using these common verbs and status codes, REST APIs provide a uniform interface across diverse applications, supporting all content types.
Since the REST API architecture enables stateless communication between the client, like a user, and the server, it doesn’t store information about current sessions or connections. The application handles:
- Resource manipulation
- Session management
Since REST APIs control how data travels between applications, attackers target them to gain unauthorized access to sensitive data.
Two levels of REST API security
As attackers target APIs, you need to understand the two different attack vectors they create. APIs act as a bridge that enables data to travel between two applications, meaning that attackers can attempt to either:
- Gain unauthorized access to the API
- Use the API to identify and target the application
Ensuring secure API access
APIs that connect web applications are exposed to the public internet, meaning that attackers can identify them, look for vulnerabilities, and gain unauthorized access to them. When securing access to APIs, you should consider:
- Securing the network connection to mitigate risks arising from man-in-the-middle (MitM) and sniffing attacks
- Implementing appropriate authentication and authorization to protect access to the APIs
- Clearly specifying and limiting the API request capabilities
Protecting applications that expose APIs
RESTful API calls and responses can expose information about the services that they connect to. When securing these APIs, you should consider:
- Confidential data contained in the URLs, like credentials, API keys, and session tokens, helping mitigate data leakage risks
- Rejecting all content types by default then adding back specifically permitted ones, helping mitigate injection attack risks
- Restricting the type and scope of HTTP security headers, helping mitigate cross-site scripting (XSS) and clickjacking risks
- Rejecting all requests that fail to conform to API specifications
Best Practices for REST API Security
To achieve these security outcomes, you can implement some best practices that mitigate risks arising from REST APIs.
As a fundamental secure communication protocol, HTTPS employs either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt data transmitted between the application and server. Further, these protocols also help:
- Verify servers to prevent MitM attacks
- Ensure data integrity to mitigate tampering during transit
Since REST APIs use HTTP, you should prevent these protocols from giving away so much information that attackers can use it against you.
Restrict HTTP methods
Your API configurations should limit the types of HTTP verbs allowed. Typically, you want to:
- Create a specific allow list of methods, like GET, POST, PUT
- Deny-by-default all other request types, using an HTTP response code “405 Method not allowed”
- Ensure caller authorization for the resource, action, and record
Sensitive information in HTTP requests
REST APIs that contain credential data in the URL can accidentally leak sensitive data, like passwords, security tokens, and API keys. When configuring the API, you should ensure that the API transfers sensitive data in:
- The request body or headers of POST/PUT requests
- The HTTP header for GET requests
HTTP Return Code
The HTTP return code tells you the results of a client’s request, typically divided into 5 categories:
- Client error
- Server error
For REST APIs, you can use return codes that tell you about the API’s security. Some examples of these include:
- 401 Unauthorized: wrong or no authentication provided
- 403 Forbidden: authentication succeeded but user lacks access permission
- 429 Too Many Requests: potential Denial of Service (DoS) attack detected
To protect your REST API, you must verify all clients that request access to the API by implementing:
- Authentication: verifying that the client is who it say it is
- Authorization: ensuring it can take the action that it wants to take
With APIs, you have the additional challenge that the clients are often technologies not people, so they won’t be able to answer the challenge questions that a multi-factor authentication (MFA) tool asks.
JSON Web Tokens (JWT)
JWTs are digitally signed JSON objects that can be verified and trusted, enabling:
- Authentication: using public/private key pairs so that the signatures certified the party holding the private key is who it says it is
- Authorization: passing an access token in every request after the client successfully logs in
0Auth2 is a standard that enables you to use a central identify provider and grant time-bound permissions through an access token, enabling:
- Authentication: client requests an access token using its ID and secret
- Authorization: access tokens used on subsequent calls to define access
With API keys, you can associate tokens with users and store them in your database. Problematically, API keys focus primarily on authentication not authorization by generating a key that uniquely identifies users when they sign up for access to the API.
Since attackers can manipulate the HTTP parameters, validating inputs and outputs is critical to securing your REST APIs.
Fundamentally, you should never trust any input parameters or objects because attackers can try to manipulate these. Essentially, you should have input specifications that enable you to mitigate risks. Some best practices include:
- Requirements for strong types like numbers, dates, or fixed data ranges
- Using regular expressions (regex) to define input patterns
- Rejecting non-conforming or unexpected inputs
- Using a validation/sanitation library or framework to define requirements and reduce human error risk
- Logging input validation failures to document potential attacks
- Using a secure parser for incoming messages
While validating inputs protects against attackers trying to get in, validating responses mitigates risks arising from data leaking out. You should ensure that your API responses:
- Reject and identify requests that fail to conform to defined inputs
- Include programming language in responses to defend against header injection attacks
API endpoints are the resources that an API can access, enabling the application to interact with data. To protect these locations, you should:
- Limit public internet access to endpoints
- Use MFA if you must make the endpoint accessible
- Place management endpoints on subnetworks
- Implement appropriate firewall rules and access control lists
To document all REST API activities, you should write audit logs before and after security incidents by consistently formatting and structuring log messages that capture:
- Request and response details
- Time and performance metrics
- Exceptions and errors during processing
- Authentication and authorization data
- Business logic and validation rules
Graylog API Security: Monitoring REST APIs and providing high-fidelity alerts
With Graylog API Security, you can monitor your REST APIs and incorporate their security as part of your overarching program. Our platform organizations APIs by domain, enabling you to align monitoring with the open API specification. Graylog API Security automatically discovers the most common types of attacks and failures, giving you the at-a-glance visibility necessary to prioritize remediation activities without requiring you to have deep technical knowledge about APIs.
To see how Graylog API Security can help you monitor your REST API security, contact us today.