8 Designing a secure API

 

This chapter covers

  • The intersection between API security and API design
  • Defining user-friendly scopes for access control
  • Adapting API design to meet access control needs
  • Adapting API design to handle sensitive material

Designing APIs that make sense for their users and are usable is definitely important, but this must not be done without considering security. API security is not an afterthought that you can assume will be handled later (whenever that is) by the security people (whoever they are). Indeed, design and security are inextricably linked when creating an API or anything else.

Regularly, there is some news about a company having been “hacked” through their APIs, especially private ones used for mobile applications. I put quotation marks around hacked because sometimes such hacking is at a kindergarten level. Indeed, in some cases, hackers simply inspect the API responses and discover sensitive data that should have never left the depth of the provider’s systems. There is also the classic “What happens if I change the user ID in a request?” … “I get other users’ data!”

This is not because an API is private or for partners and only used by trusted consumers, so it can expose anything without us giving thought to security. Public API security is usually treated more seriously as long as the people involved actually know what API security means. Security matters for all types of APIs; and, as an API designer, you have a part to play in API security.

8.1 An overview of API security

 
 

8.1.1 Registering a consumer

 
 
 
 

8.1.2 Getting credentials to consume the API

 
 
 

8.1.3 Making an API call

 
 
 

8.1.4 Envisioning API design from the perspective of security

 
 

8.2 Partitioning an API to facilitate access control

 
 
 
 

8.2.1 Defining flexible but complex fine-grained scopes

 
 

8.2.2 Defining simple but less flexible coarse-grained scopes

 
 
 

8.2.3 Choosing scope strategies

 
 

8.2.4 Defining scopes with the API description format

 
 
 

8.3 Designing with access control in mind

 
 
 

8.3.1 Knowing what data is needed to control access

 
 

8.3.2 Adapting the design when necessary

 
 

8.4 Handling sensitive material

 
 
 

8.4.1 Handling sensitive data

 
 

8.4.2 Handling sensitive goals

 
 

8.4.3 Designing secure error feedback

 
 
 

8.4.4 Identifying architecture and protocol issues

 
 
 
 

Summary

 
 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest