Rest APIs are frequently preferred in today’s web technologies. As such, Rest API security means protecting the integrity of both the APIs you own and use.
The Internet is a network where information exchange takes place very quickly and access to information is very easy. According to the Digital 2021: Global Overview Report, published by Datareportal in partnership with We Are Social and Hootsuite, the estimated approximate internet users in January 2021 grew by 7.3% to reach 4.66 billion. According to this report, 59.5% of the world’s population currently uses the internet. With technologies such as IOT starting to take place in our lives, the number of devices connected to the Internet is expected to reach 50 billion in 2022.
The widespread use of the Internet and the fact that data has become important also increases the importance of protecting data on the Internet by institutional structures or governments. It is predicted that the world will store 200 zettabytes of data by 2025. In this environment, attacks on computer systems over the network can cause significant loss of money, data and time, as well as loss of prestige.
Rest APIs are one of the most common ways microservices and containers communicate, just like systems and applications. As integration and interconnection become more important, Rest APIs will be used more in our operations.
Open or hacked Rest APIs are a major cause of major data breaches.
In this article, the security steps to be considered while developing a Rest API will be discussed.
Table of Contents
HTTPS or long abbreviation “ Secure Hyper Text Transfer Protocol ” means “Secure Text Transfer Protocol ”. In other words, an SSL certificate has been added to the protocol you are using, that is, it is the way the website declares that it is secure.
HTTP also allows a secure encrypted connection between the server and the browser. It offers two-way data security. This will help you protect potentially confidential information from theft.
Based on this information, Rest APIs developed in applications for security should definitely be published with the HTTPS protocol.
Authentication / Authorization
HTTP is a protocol that runs at the application layer and forms the basis of the internet. The web pages and applications we navigate with this protocol may resort to authentication methods to protect themselves. You can even choose one of these methods to protect your pages. Thus, users will need to be an authorized visitor to access the protected pages. This is where the concepts of Authentication and Authorization come into play.
Authentication is when an entity proves its identity. In other words, Authentication proves that you are who you say you are. We can compare it to an identity card that tells a person making a request by a trusted authority, like a police officer, who you really are and can be used as proof.
Authorization is when an entity proves its access right, its identity. In other words, Authorization proves that you have the right to make requests. For example, you can be in the areas where only the personnel can enter in the workplace you work and no one will question you because you are already an employee. However, a customer will not be able to enter these areas because he is not authorized.
Authentication and Authorization settings can be configured for Rest APIs to prevent or restrict access to the system by people who do not have access to the system.
Instant errors may occur in applications. During this error, an appropriate message should be given to the user. The content of this error message is very important.
For example, let’s assume that there is a Rest API that retrieves the details of the product you selected from a product listing screen. Detail In the event that an error occurs when the Rest API is called, a message containing the stackTrace of this error or, if the error occurred in the database, the database URL information should not be sent to the user as a response to this Rest API.
We usually want to block high frequency requests to an IP in a short time to prevent malicious attacks on websites or Rest API applications. Rate Limit means you can specify a limit on the endpoints you use in an API application. In other words, if there is a limit on the endpoints, it is called Rate Limit.
Let’s say there is a Rest API and it is open to the outside world. Anyone can request it. What if you set a rule on this Rest API? It can meet so many requests in an hour. For example, if there are 100, 101.requests in 1 hour, we will return with an appropriate response in the 101.requs. We can do 100 in an hour, we say you have exceeded this number of requests. Do we need this?
There is an example of the Cinema information Rest API. When this Rest API makes a request by the client, we return the information of the Cinemas. There are 10 endpoints in the Rest API application. 8 of them are closed to the outside world, 2 of them are open. 8 endpoints are waiting for a token while a request is made. So not everyone can request. Anyone can make a request for the other two. Malicious users can make your API out of service by making continuous requests to these 2 endpoints. The name of this attack is to render the Denial-Of-Service (Dos) service unserviceable. There is also Distributed denial of service (DDos). Bigger attack. Our Rest API attacks our application and the server may become unresponsive. It heals when the attack is finished.
The security of the services we share on the internet is very important. Remember that many malicious people try to exploit these Rest APIs, and as soon as they catch a vulnerability, they may make your application unserviceable and ask you for money. In addition to the methods in this article, the OWASP(https://owasp.org/) site can be visited to further increase your Rest API security.