11 Designing a secure API
This chapter covers
- Exposing only the necessary data and operations
- Ensuring operations behave according to context
- Preventing protocol or infrastructure-based data leaks
- Limiting access with security scopes
- Erroring securely
An API that does the job and is user-friendly is nice but worth nothing if not secure. As APIs grew in popularity, the number of API attacks has increased exponentially over the years, making APIs the primary hacking attack vector in 2022. In 2023, 95% of organizations faced API security problems, such as DDoS attacks (Distributed Denial of Services), lack of authentication, API key leaks, shadow or zombie APIs no one knows of, sensitive data overexposure, or business logic abuse. API security issues can cause reputational damage, financial losses, business operations, and data privacy threats.
API designers can’t solve all API security issues, but they have a crucial role to play. API security must not be overlooked during the API design process, assuming security experts will handle it later. How we design and document an API can significantly influence its security. For example, if we’re not careful, a user buying products on our Shopping website via our Shopping API could discover the secret buying price of products by inspecting network traffic through developer tools, access other users' orders, or change the price of a product.