2 Secure API development

 

This chapter covers

  • Setting up an example API project
  • Understanding secure development principles
  • Identifying common attacks against APIs
  • Validating input and producing safe output

I’ve so far talked about API security in the abstract, but in this chapter, you’ll dive in and look at the nuts and bolts of developing an example API. I’ve written many APIs in my career and now spend my days reviewing the security of APIs used for critical security operations in major corporations, banks, and multinational media organizations. Although the technologies and techniques vary from situation to situation and from year to year, the fundamentals remain the same. In this chapter you’ll learn how to apply basic secure development principles to API development, so that you can build more advanced security measures on top of a firm foundation.

2.1 The Natter API

You’ve had the perfect business idea. What the world needs is a new social network. You’ve got the name and the concept: Natter --the social network for coffee mornings, book groups, and other small gatherings. You’ve defined your minimum viable product, somehow received some funding, and now need to put together an API and a simple web client. You’ll soon be the new Mark Zuckerberg, rich beyond your dreams, and considering a run for president.

2.1.1 Overview of the Natter API

2.1.2 Implementation overview

2.1.3 Setting up the project

2.1.4 Initializing the database

2.2 Developing the REST API

2.2.1 Creating a new space

2.3 Wiring up the REST endpoints

2.3.1 Trying it out

2.4 Injection attacks

2.4.1 Preventing injection attacks

2.4.2 Mitigating SQL injection with permissions

2.5 Input validation

2.6 Producing safe output

2.6.1 Exploiting XSS Attacks

2.6.2 Preventing XSS

2.6.3 Implementing the protections

Answers to pop quiz questions

Summary