8 Designing a secure API
This chapter covers
- The intersection between API security and API design
- Defining user-friendly scopes for access control
- Adapting API design to meet access control needs
- Adapting API design to handle sensitive material
Designing APIs that make sense for their users and are usable is definitely important, but this must not be done without considering security. API security is not an afterthought that you can assume will be handled later (whenever that is) by the security people (whoever they are). Indeed, design and security are inextricably linked when creating an API or anything else.
Regularly, there is some news about a company having been “hacked” through their APIs, especially private ones used for mobile applications. I put quotation marks around hacked because sometimes such hacking is at a kindergarten level. Indeed, in some cases, hackers simply inspect the API responses and discover sensitive data that should have never left the depth of the provider’s systems. There is also the classic “What happens if I change the user ID in a request?” … “I get other users’ data!”
This is not because an API is private or for partners and only used by trusted consumers, so it can expose anything without us giving thought to security. Public API security is usually treated more seriously as long as the people involved actually know what API security means. Security matters for all types of APIs; and, as an API designer, you have a part to play in API security.