How to Maximize Your API's Security
Security is an essential element of any application, especially in regards to APIs, where you have hundreds or thousands of applications making calls on a daily basis. Every day, new threats and vulnerabilities are created, and every day, companies find themselves racing against the clock to patch them. It's very important to protect your APIs from attacks. Thankfully, while an API manager doesn’t eliminate all threats, it can help protect you against some of the most common ones. And when used as a proxy, it can prevent malicious attacks from hitting your architecture.
Early on, API security consisted of basic authorization, or asking the user for their username and password, which was then forwarded to the API by the software consuming it. This, however, created a huge security risk.
Today Open Authorization (OAUTH) - a token authorization system - is the most common API security measure. Unlike basic authorization, OAuth does not allow API client from accessing the users’ information. Instead it relays the user to a page on the destination server where they can enter their credentials, and then returns to the API client an access token for that user.
The benefit of token-based access is that it may be deleted at any time for any reason - a security breach, misuse or even if the user decides they no longer want that service to have access to their account. Access tokens can also be used to restrict permissions, letting the user decide what the application should be able to do with their information or account.
API security best practices are well defined, no matter how complex or simple the API. Developers need to make sure that their APIs keep users’ data (usernames and passwords) secure, which means creating a layer of separation between their information and the client. Developers should never request login credentials through public APIs, as doing so makes the user’s information vulnerable.
Download a copy of Undisturbed REST: A Guide to Designing the Perfect API to learn about OAuth systems and guidelines for implementing these and other API security measures into an API project.