9 Secure API infrastructure

 

This chapter covers

  • Improving API management with API gateways
  • Configuring secure network topologies
  • Protecting APIs from attacks against OSI model layers 3-6
  • Preventing application-level attacks with web application firewalls

Once we are ready to deploy our APIs, we have to think about how we protect the infrastructure they are going to operate in. In previous chapters, you’ve learned how to make APIs secure by design, how to implement robust authentication and authorization systems, and so on. These techniques help us prevent application-level attacks. As you’ll learn in this chapter, there are other forms of attacks that target lower levels of the networking stack, such as port scanning and denial of service attacks, which can compromise our security posture. You’ll learn about the types of vulnerabilities threat actors exploit to perform such attacks, and how you can harden your servers and use off-the-shelf solutions to protect your infrastructure.

You’ll learn about the impact of your network topology on your security posture. API infrastructure includes multiple elements, such as web servers, databases, and queues, and not all of them should be directly exposed to external users or allowed to receive external traffic. You’ll learn how to create restricted access to your API infrastructure with bastion servers, establish a demilitarized zone for your inbound traffic, and prevent lateral movement between our servers.

9.1 API gateways

9.2 Secure network topologies

9.3 Protecting against layers 3-6 attacks

9.4 Fending off malicious traffic with web application firewalls

9.5 Summary