API 101: Securing the REST APIs
In this blog, we will be taking a look at REST APIs and the need to secure them. Also, we will see the evolution of HTTP standard protocol vs TLS-secured HTTPS protocol with additional security layers. The need to secure APIs is the key focus here. Let’s jump right in.
What is an API?
An API is a set of definitions and protocols for building and integrating application software. It is like a bridge between the caller (client) and sender (server) fulfilling the needs of the program.
In other words, if you want to interact with a computer or system to retrieve information or perform a function, an API helps you communicate what you want to that system so it can understand and fulfill the request.
You can think of an API as a mediator between the users or clients and the resources or web services they want to get. It’s also a way for an organization to share resources and information while maintaining security, control, and authentication. Determining who gets access to what.
What is REST API?
Representational state transfer (REST) is an architecture that defines how the data flow happens between the client-server models. But it is not a communication protocol & relies on a protocol like HTTP to transfer data between the application and server.
Why there is a need to secure REST APIs?
In the beginning era of the Internet, there were a lot of devices developed on different technologies and languages. But also the need of establishing communication between those devices also rose.
Web services developed a better communication channel between the server and devices in the coming years.
Server vs client rendering
Server-side rendering
Initially, servers used to construct HTML directly and send it to the client. The client would then use it for rendering.
Client-side rendering
With the introduction of web services, servers only sent raw data and the client would build the HTML and then render it.
Amongst all the protocols developed over the years, SOAP & REST stood up as the most & widely used. Also the question of whether to use SOAP or REST arose. let’s not start that debate.
SOAP typically used Extensible Markup Language (XML), which is a little bulkier compared to JavaScript Object Notation (JSON) representation of data. This less bulky nature of JSON helps to optimize the usage of network bandwidth and also helps to give a boost to REST. That said, REST supports a wide variety of data formats apart from JSON.
With the increased usage of REST comes increased security attacks on REST APIs. So, we need to secure them.
Architectural constraints of REST
Any REST API has to conform to specific architectural constraints. When we design a REST API, it has to meet the below architectural constraints:
- Contain a uniform interface.
- It should be stateless.
- It should be cacheable.
- Client-server model
- A layered system.
Security is a concern across all the constraints that the REST API has to consider during the design and implementation phases.
If there is a layer of authentication prior to hitting the REST API, it is assumed that the REST API is secure. While authentication and authorization play a very important role in securing the REST APIs, there are several other security measures that need to be put in place. We will take a look at them.
What are the main types of HTTP vulnerability?
Below are some security attacks that can exploit HTTP:
- SQL injection
- DDOS attacks
- Cross-site scripting
- Cross-site request forgery
The only difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses and to digitally sign those requests and responses. As a result, HTTPS is far more secure than HTTP
What does an HTTPS protocol do?
The “S” in HTTPS stands for secure, meaning that it’s a more secure version of HTTP.
HTTPS guarantees the following:
- Confidentiality: HTTPS ensures that users’ connection to the server is encrypted.
- Authenticity: The user is communicating with genuine websites and not phishing (spoofed) websites.
- Integrity: There is no tampering of the data or payload sent by the user.
A plain HTTP connection can be easily monitored, modified, and impersonated.
How HTTPS can be attacked
HTTPS can be attacked in the following ways:
- An attacker could take advantage of protocol or cipher weaknesses.
- A user’s device could be compromised using phishing or other techniques.
- A fake HTTPS certificate could pose as a genuine one.
All these are possible but require specialized skills and are expensive. In comparison to HTTPS, HTTP communication is easily intercepted and more prone to attack.
HTTP V/S HTTPS
Let’s take a look at both the communication protocol security.
Any server which is ready to serve the internet will need to expose services or REST APIs. The server must have some certificate, preferably from a certificate authority. These will be SSL (secure sockets layer) or TSL (transport layer security) certificates on the internet.
You can view the certificates by clicking on the padlock and viewing the available certificates to verify the authenticity of that website.
Use HTTPS to protect data relating to financial transactions, personally identifiable information, or any other sensitive data, as well as to avoid having browsers flag your site as insecure. HTTPS enables website encryption by running HTTP over the Transport Layer Security protocol. Even though the SSL protocol was replaced 20 years ago by TLS, these certificates are still often referred to as SSL
Why migrate to HTTPS API
All APIs should require HTTPS to ensure confidentiality, integrity, and authenticity.
HTTPS provides a stronger guarantee that a client is communicating with the real API and receiving back authentic content. It also enhances privacy for applications and users using the API. For APIs that support cross-origin request sharing (CORS) or JSONP requests, it also ensures the requests are not blocked.
All new APIs should use and require HTTPS. Rather than issue a redirect when visited over HTTP, the API should likely return an error message eg: HTTP code 403.
To migrate an existing API that runs over plain HTTP, start by adding HTTPS support. This will ensure the availability of new add-ons to secure your HTTPS connection and safeguard your API points.
Thanks for reading my Blog 📖, hope you liked it. Stay tuned for more such amazing blogs🚀🙌
