3 Securing the Natter API

In the last chapter you learned how to develop the functionality of your API while avoiding common security flaws. In this chapter you’ll go beyond basic functionality and see how proactive security mechanisms can be added to your API to ensure all requests are from genuine users and properly authorized. You’ll protect the Natter API that you developed in chapter 2, applying effective password authentication using Scrypt, locking down communications with HTTPS, and preventing denial of service attacks using the Guava rate-limiting library.

3.1       Addressing threats with security controls

You’ll protect the Natter API against common threats by applying some basic security mechanisms (also known as security controls). Figure 3.1 shows the new mechanisms that you’ll develop, and you can relate each of them to a STRIDE threat (chapter 1) that they prevent:

3.2       Rate-limiting for availability

3.2.1   Rate-limiting with Guava

3.3       Authentication to prevent spoofing

3.3.1   HTTP Basic authentication

3.3.2   Secure password storage with Scrypt

3.3.3   Registering users in the Natter API

3.3.4   Authenticating users in Natter

3.4       Using encryption to keep data private

3.4.1   Enabling HTTPS

3.4.2   Strict transport security

3.5       Audit logging for accountability

3.6       Access control

3.6.1   Enforcing authentication

3.6.2   Access control lists

3.6.3   Enforcing access control in Natter

3.6.4   Adding new members to a Natter space

3.6.5   Avoiding privilege escalation attacks

3.7       Summary