Appendix C. API security RFCs and learning resources
A great deal of API security is dealing with standards and protocols. Those standards and protocols are described in formal documents called Request for Comments (RFCs), which are published by the Internet Engineering Task Force (IETF). Throughout this book, we have made references to many RFCs that describe how Open Authorization works, what JSON Web Tokens look like, what are JSON Web Keys, and so on. And by this point, you may be wondering, “damn, where is that RFC that describes what JSON Web Keys are?” Well, wonder no more. In this appendix, I’ve put together the most important RFCs that you, as an API security practitioner, should know about, and I highly encourage you to read through them.
It goes without saying that you cannot cover everything there is to know about API security in one book. This book gives you a very solid foundation, but you will want to go deeper into other topics such as threat modeling and API design. Also, this book approaches API security from the builder’s perspective, but what about the hacker’s perspective? Learning how threat actors think and abuse vulnerabilities will help you get better at protecting your own APIs. The second part of this appendix lists some resources you can use to take your journey learning more about API security to the next level.