A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to …
A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.
APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs—including microservices and cloud-native applications—demand a comprehensive, multi-layered approach to security for both private and public-facing APIs.
API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you’re done, you’ll be able to create APIs that stand up to complex threat models and hostile environments.
For developers with experience building RESTful APIs. Examples are in Java.
Neil Madden has in-depth knowledge of applied cryptography, application security, and current API security technologies. He holds a Ph.D. in Computer Science.
Anyone who wants an in-depth understanding of API security should read this.Part 1. Foundations
Chapter 1 What is API security?
Chapter 1 What is an API?
Chapter 1 API security in context
Chapter 1 Elements of API security
Chapter 1 Environments and threat models
Chapter 1 Security mechanisms
Chapter 1 Audit logging
Chapter 2 Secure API development
Chapter 2 Implementation overview
Chapter 2 Developing the REST API
Chapter 2 Injection attacks
Chapter 2 Preventing injection attacks
Chapter 2 Input validation
Chapter 2 Producing safe output
Chapter 2 Preventing XSS
Chapter 3 Securing the Natter API
Chapter 3 Rate-limiting with Guava
Chapter 3 Authentication to prevent spoofing
Chapter 3 Creating the password database
Chapter 3 Authenticating users
Chapter 3 Using encryption to keep data private
Chapter 3 Audit logging for accountability
Chapter 3 Access control
Chapter 3 Adding new members to a Natter space
Part 2. Token-based authentication
Chapter 4 Session cookie authentication
Chapter 4 Serving the HTML from the same origin
Chapter 4 Drawbacks of HTTP authentication
Chapter 4 Token-based authentication
Chapter 4 Session cookies
Chapter 4 Cookie security attributes
Chapter 4 Preventing Cross-Site Request Forgery attacks
Chapter 4 Hash-based double-submit cookies
Chapter 4 Double-submit cookies for the Natter API
Chapter 4 Building the Natter login UI
Chapter 4 Implementing logout
Chapter 5 Modern token-based authentication
Chapter 5 Adding CORS headers to the Natter API
Chapter 5 Tokens without cookies
Chapter 5 The Bearer authentication scheme
Chapter 5 Storing tokens in Web Storage
Chapter 5 Updating the CORS filter
Chapter 5 Hardening database token storage
Chapter 5 Protecting sensitive attributes
Chapter 6 Self-contained tokens and JWTs
Chapter 6 JSON Web Tokens
Chapter 6 The JOSE header
Chapter 6 Generating standard JWTs
Chapter 6 Encrypting sensitive attributes
Chapter 6 Authenticated encryption with NaCl
Chapter 6 Encrypted JWTs
Chapter 6 Using a JWT library
Chapter 6 Using types for secure API design
Chapter 6 Handling token revocation
Part 3. Authorization
Chapter 7 OAuth2 and OpenID Connect
Chapter 7 The difference between scopes and permissions
Chapter 7 Introducing OAuth2
Chapter 7 The Authorization Code grant
Chapter 7 Hardening code exchange with PKCE
Chapter 7 Validating an access token
Chapter 7 Securing the HTTPS client configuration
Chapter 7 JWT access tokens
Chapter 7 Encrypted JWT access tokens
Chapter 7 Single sign-on
Chapter 7 Hardening OIDC
Chapter 8 Identity-based access control
Chapter 8 LDAP groups
Chapter 8 Role-based access control
Chapter 8 Static roles
Chapter 8 Attribute-based access control
Chapter 8 Implementing ABAC decisions
Chapter 8 Distributed policy enforcement and XACML
Chapter 9 Capability-based security and macaroons
Chapter 9 Capabilities and REST
Chapter 9 Capabilities as URIs
Chapter 9 Using capability URIs in the Natter API
Chapter 9 HATEOAS
Chapter 9 Capability URIs for browser-based clients
Chapter 9 Hardening capability URIs
Chapter 9 Macaroons: Tokens with caveats
Chapter 9 A macaroon token store
Chapter 9 Third-party caveats
Part 4. Microservice APIs in Kubernetes
Chapter 10 Microservice APIs in Kubernetes
Chapter 10 Deploying Natter on Kubernetes
Chapter 10 Building H2 database as a Docker container
Chapter 10 Deploying the database to Kubernetes
Chapter 10 Building the Natter API as a Docker container
Chapter 10 The link-preview microservice
Chapter 10 Preventing SSRF attacks
Chapter 10 DNS rebinding attacks
Chapter 10 Securing communications with TLS
Chapter 10 Using a service mesh for TLS
Chapter 10 Locking down network connections
Chapter 10 Securing incoming requests
Chapter 11 Securing service-to-service APIs
Chapter 11 The OAuth2 client credentials grant
Chapter 11 The JWT bearer grant for OAuth2
Chapter 11 Generating the JWT
Chapter 11 Mutual TLS authentication
Chapter 11 Verifying client identity
Chapter 11 Using a service mesh
Chapter 11 Certificate-bound access tokens
Chapter 11 Managing service credentials
Chapter 11 Key and secret management services
Chapter 11 Avoiding long-lived secrets on disk
Chapter 11 Key derivation
Chapter 11 Service API calls in response to user requests
Chapter 11 OAuth2 token exchange
Chapter 11.OAuth2 token exchange
Part 5. APIs for the Internet of Things
Chapter 12 Securing IoT communications
Chapter 12 Datagram TLS
Chapter 12 Datagram TLS
Chapter 12 Datagram TLS
Chapter 12 Cipher suites for constrained devices
Chapter 12 Cipher suites for constrained devices
Chapter 12 Cipher suites for constrained devices
Chapter 12 Pre-shared keys
Chapter 12 The PSK client
Chapter 12 End-to-end security
Chapter 12 COSE
Chapter 12 Alternatives to COSE
Chapter 12 Misuse-resistant authenticated encryption
Chapter 12 Misuse-resistant authenticated encryption
Chapter 12 Key distribution and management
Chapter 12 Ratcheting for forward secrecy
Chapter 12 Post-compromise security
Chapter 13 Securing IoT APIs
Chapter 13 Device certificates
Chapter 13 End-to-end authentication
Chapter 13 OSCORE
Chapter 13 Avoiding replay in REST APIs
Chapter 13 OAuth2 for constrained environments
Chapter 13 OAuth2 for constrained environments
Chapter 13 Offline access control
Chapter 13 Offline authorization