SlideShare uma empresa Scribd logo

Secure Your REST API (The Right Way)

Transferir como PPTX, PDF
Stormpath
Stormpath

We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.

Software
1 de 40
Les Hazlewood @lhazlewood Apache Shiro PMC Chair CTO, Stormpath stormpath.com Secure your REST API (the right way)
.com • User Management and Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
HTTP Authentication...
... is all about the headers Learn more at Stormpath.com
1. Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Learn more at Stormpath.com
2. Challenge Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“name” Learn more at Stormpath.com
3. Resubmit Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Learn more at Stormpath.com
Authorization Header Format GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Scheme Name Scheme-specific Value sp Learn more at Stormpath.com
4. Successful Response HTTP/1.1 200 OK Content-Type: application/json ... { “email”: “jsmith@gmail.com”, “givenName”: “Joe”, “surname”: Smith”, ... } Learn more at Stormpath.com
Example: Oauth 1.0a GET /accounts/1234 HTTP/1.1 Host: api.acme.com Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" Learn more at Stormpath.com
Example: Oauth 2 GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Bearer mF_9.B5f-4.1JqM Learn more at Stormpath.com
Example: Oauth 2 MAC GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE=" Learn more at Stormpath.com
Ok, now that’s out of the way • Please avoid Basic Authc if you can. • Favor HMAC-SHA256 digest algorithms over bearer token algorithms • Use Oauth 1.0a or Oauth 2 (preferably MAC) • Only use a custom scheme if you really, really know what you’re doing. Learn more at Stormpath.com
Status Codes Learn more at Stormpath.com
401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com
HTTP Authorization Learn more at Stormpath.com
HTTP Authorization • After authc, perform authz • Filter requests before invoking MVC layer • Blanket security policies • Per-URI customization Learn more at Stormpath.com
HTTP Authorization: OAuth • OAuth is an authorization protocol, NOT an authentication or SSO protocol. • “Can I see User X’s email address please?” NOT: • “I want to authenticate User X w/ this username and password” • People still try to use OAuth for authentication (OpenId Connect) Learn more at Stormpath.com
HTTP Authorization: OAuth • When OAuth 2 is a good fit: • If your REST clients do NOT own the data they are attempting to read • When Oauth 2 isn’t as good of a fit: • If your REST client owns the data it is reading • Could still be fine if you’re willing to incur some additional overhead Learn more at Stormpath.com
HTTP Authorization: JWT • JWT = JSON Web Token • Very new spec, but clean & simple • JWTs can be digitally signed and/or encrypted, and are URL friendly. • Can be used as Bearer Tokens and for SSO Learn more at Stormpath.com
Best Practices Learn more at Stormpath.com
API Keys Learn more at Stormpath.com
API Keys, Not Passwords • Entropy • Independence • Speed • Reduced Exposure • Traceability • Rotation Learn more at Stormpath.com
API Keys cont’d • Authenticate every request • Encrypt API Key secret values at rest. • Avoid Sessions (not RESTful) • Authc every request + no sessions = no XSRF attacks Learn more at Stormpath.com
Identifiers Learn more at Stormpath.com
Identifiers /accounts/x2b4jX3l31uiL Good Not So Good /accounts/1234 Why? Learn more at Stormpath.com
Identifiers • Should be opaque • Secure Random or Random/Time UUID • URL-friendly ‘Base62’ encoding • Avoid sequential numbers: • distribute ID generation load • mitigate fusking attacks Learn more at Stormpath.com
Query Injection Learn more at Stormpath.com
Query Injection Vulnerable URL: foo.com/accounts?acctId=‘ or ‘1’=‘1 String query = “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”; Solution • Use Parameterized Query API (Prepared Statements). • If not available, escape special chars Learn more at Stormpath.com
Redirects and Forwards Learn more at Stormpath.com
Redirects and Forwards • Avoid redirects and forwards if possible • If used, validate the value and ensure authorized for the current user. foo.com/redirect.jsp?url=evil.com foo.com/whatever.jsp?fwd=admin.jsp Learn more at Stormpath.com
TLS Learn more at Stormpath.com
TLS • Use TLS for everything • Once electing to TLS: – Never revert – Never switch back and forth • Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies • Backend/infrastructure connections use TLS too Learn more at Stormpath.com
TLS Cont’d • Configure your SSL provider to only support strong (FIPS 140-2 compliant) algorithms • Use Cipher Suites w/ Perfect Forward Secrecy! –e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256 • Keep your TLS certificates valid • But beware, TLS isn’t foolproof – App-level encryption + TLS for most secure results Learn more at Stormpath.com
Configuration Learn more at Stormpath.com
Configuration • CI: Security Testing • Security Patches • Regularly scan/audit • Same config in Dev, Prod, QA* – (Docker is great for this!) • Externalize passwords/credentials * Except credentials of course Learn more at Stormpath.com
Storage Learn more at Stormpath.com
Storage • Sensitive data encrypted at rest • Encrypt offsite backups • Strong algorithms/standards • Strong encryption keys and key mgt • Strong password hashing • External key storage • Encrypted file system (e.g. eCryptfs) Learn more at Stormpath.com
Thank You! • les@stormpath.com • Twitter: @lhazlewood • https://stormpath.com Learn more at Stormpath.com
.com • Free for developers • Eliminate months of development • Automatic security best practices Sign Up Now: Stormpath.com Learn more at Stormpath.com

Recomendados

Pentesting jwt
Pentesting jwtPentesting jwt
Pentesting jwtJaya Kumar Kondapalli
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Api security
Api security Api security
Api security teodorcotruta
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin PolicyFabrizio Farinacci
 
Owasp zap
Owasp zapOwasp zap
Owasp zappenetration Tester
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 

Recomendados

Pentesting jwt
Pentesting jwtPentesting jwt
Pentesting jwtJaya Kumar Kondapalli
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Api security
Api security Api security
Api security teodorcotruta
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin PolicyFabrizio Farinacci
 
Owasp zap
Owasp zapOwasp zap
Owasp zappenetration Tester
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web TokensIvan Rosolen
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Json web token
Json web tokenJson web token
Json web tokenMayank Patel
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practicesAnkita Mahajan
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityBruno Henrique Rother
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectiveRajniHatti
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 

Mais conteúdo relacionado

Mais procurados

Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practicesAnkita Mahajan
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityBruno Henrique Rother
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectiveRajniHatti
 

Mais procurados (20)

JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web Tokens
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Security testing
Security testingSecurity testing
Security testing
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Json web token
Json web tokenJson web token
Json web token
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practices
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring Security
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's Perspective
 

Semelhante a Secure Your REST API (The Right Way)

REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with LumenKit Brennan
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldGil Fink
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Lviv Startup Club
 

Semelhante a Secure Your REST API (The Right Way) (20)

REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Facebook & Twitter API
Facebook & Twitter APIFacebook & Twitter API
Facebook & Twitter API
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with Lumen
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
HTTP
HTTPHTTP
HTTP
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 World
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 

Mais de Stormpath

The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Getting Started With Angular
Getting Started With AngularGetting Started With Angular
Getting Started With AngularStormpath
 
Building Beautiful REST APIs with ASP.NET Core
Building Beautiful REST APIs with ASP.NET CoreBuilding Beautiful REST APIs with ASP.NET Core
Building Beautiful REST APIs with ASP.NET CoreStormpath
 
Build a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.jsBuild a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.jsStormpath
 
JWTs in Java for CSRF and Microservices
JWTs in Java for CSRF and MicroservicesJWTs in Java for CSRF and Microservices
JWTs in Java for CSRF and MicroservicesStormpath
 
Beautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonBeautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonStormpath
 
Storing User Files with Express, Stormpath, and Amazon S3
Storing User Files with Express, Stormpath, and Amazon S3Storing User Files with Express, Stormpath, and Amazon S3
Storing User Files with Express, Stormpath, and Amazon S3Stormpath
 
Custom Data Search with Stormpath
Custom Data Search with StormpathCustom Data Search with Stormpath
Custom Data Search with StormpathStormpath
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreStormpath
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
JWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesJWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesStormpath
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootStormpath
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Stormpath
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Stormpath
 
Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Stormpath
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
Stormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring SecurityStormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring SecurityStormpath
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular jsStormpath
 

Mais de Stormpath (20)

The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
Getting Started With Angular
Getting Started With AngularGetting Started With Angular
Getting Started With Angular
 
Building Beautiful REST APIs with ASP.NET Core
Building Beautiful REST APIs with ASP.NET CoreBuilding Beautiful REST APIs with ASP.NET Core
Building Beautiful REST APIs with ASP.NET Core
 
Build a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.jsBuild a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.js
 
JWTs in Java for CSRF and Microservices
JWTs in Java for CSRF and MicroservicesJWTs in Java for CSRF and Microservices
JWTs in Java for CSRF and Microservices
 
Beautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonBeautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with Ion
 
Storing User Files with Express, Stormpath, and Amazon S3
Storing User Files with Express, Stormpath, and Amazon S3Storing User Files with Express, Stormpath, and Amazon S3
Storing User Files with Express, Stormpath, and Amazon S3
 
Custom Data Search with Stormpath
Custom Data Search with StormpathCustom Data Search with Stormpath
Custom Data Search with Stormpath
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET Core
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
JWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesJWTs for CSRF and Microservices
JWTs for CSRF and Microservices
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring Boot
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More!
 
Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
 
Stormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring SecurityStormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring Security
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 

Último

Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Anthony Dahanne
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profileakrivarotava
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 

Último (20)

Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profile
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 

Secure Your REST API (The Right Way)

  • 1. Les Hazlewood @lhazlewood Apache Shiro PMC Chair CTO, Stormpath stormpath.com Secure your REST API (the right way)
  • 2. .com • User Management and Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
  • 4. ... is all about the headers Learn more at Stormpath.com
  • 5. 1. Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Learn more at Stormpath.com
  • 6. 2. Challenge Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“name” Learn more at Stormpath.com
  • 7. 3. Resubmit Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Learn more at Stormpath.com
  • 8. Authorization Header Format GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Scheme Name Scheme-specific Value sp Learn more at Stormpath.com
  • 9. 4. Successful Response HTTP/1.1 200 OK Content-Type: application/json ... { “email”: “jsmith@gmail.com”, “givenName”: “Joe”, “surname”: Smith”, ... } Learn more at Stormpath.com
  • 10. Example: Oauth 1.0a GET /accounts/1234 HTTP/1.1 Host: api.acme.com Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" Learn more at Stormpath.com
  • 11. Example: Oauth 2 GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Bearer mF_9.B5f-4.1JqM Learn more at Stormpath.com
  • 12. Example: Oauth 2 MAC GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE=" Learn more at Stormpath.com
  • 13. Ok, now that’s out of the way • Please avoid Basic Authc if you can. • Favor HMAC-SHA256 digest algorithms over bearer token algorithms • Use Oauth 1.0a or Oauth 2 (preferably MAC) • Only use a custom scheme if you really, really know what you’re doing. Learn more at Stormpath.com
  • 14. Status Codes Learn more at Stormpath.com
  • 15. 401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com
  • 16. HTTP Authorization Learn more at Stormpath.com
  • 17. HTTP Authorization • After authc, perform authz • Filter requests before invoking MVC layer • Blanket security policies • Per-URI customization Learn more at Stormpath.com
  • 18. HTTP Authorization: OAuth • OAuth is an authorization protocol, NOT an authentication or SSO protocol. • “Can I see User X’s email address please?” NOT: • “I want to authenticate User X w/ this username and password” • People still try to use OAuth for authentication (OpenId Connect) Learn more at Stormpath.com
  • 19. HTTP Authorization: OAuth • When OAuth 2 is a good fit: • If your REST clients do NOT own the data they are attempting to read • When Oauth 2 isn’t as good of a fit: • If your REST client owns the data it is reading • Could still be fine if you’re willing to incur some additional overhead Learn more at Stormpath.com
  • 20. HTTP Authorization: JWT • JWT = JSON Web Token • Very new spec, but clean & simple • JWTs can be digitally signed and/or encrypted, and are URL friendly. • Can be used as Bearer Tokens and for SSO Learn more at Stormpath.com
  • 21. Best Practices Learn more at Stormpath.com
  • 22. API Keys Learn more at Stormpath.com
  • 23. API Keys, Not Passwords • Entropy • Independence • Speed • Reduced Exposure • Traceability • Rotation Learn more at Stormpath.com
  • 24. API Keys cont’d • Authenticate every request • Encrypt API Key secret values at rest. • Avoid Sessions (not RESTful) • Authc every request + no sessions = no XSRF attacks Learn more at Stormpath.com
  • 25. Identifiers Learn more at Stormpath.com
  • 27. Identifiers • Should be opaque • Secure Random or Random/Time UUID • URL-friendly ‘Base62’ encoding • Avoid sequential numbers: • distribute ID generation load • mitigate fusking attacks Learn more at Stormpath.com
  • 28. Query Injection Learn more at Stormpath.com
  • 29. Query Injection Vulnerable URL: foo.com/accounts?acctId=‘ or ‘1’=‘1 String query = “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”; Solution • Use Parameterized Query API (Prepared Statements). • If not available, escape special chars Learn more at Stormpath.com
  • 30. Redirects and Forwards Learn more at Stormpath.com
  • 31. Redirects and Forwards • Avoid redirects and forwards if possible • If used, validate the value and ensure authorized for the current user. foo.com/redirect.jsp?url=evil.com foo.com/whatever.jsp?fwd=admin.jsp Learn more at Stormpath.com
  • 32. TLS Learn more at Stormpath.com
  • 33. TLS • Use TLS for everything • Once electing to TLS: – Never revert – Never switch back and forth • Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies • Backend/infrastructure connections use TLS too Learn more at Stormpath.com
  • 34. TLS Cont’d • Configure your SSL provider to only support strong (FIPS 140-2 compliant) algorithms • Use Cipher Suites w/ Perfect Forward Secrecy! –e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256 • Keep your TLS certificates valid • But beware, TLS isn’t foolproof – App-level encryption + TLS for most secure results Learn more at Stormpath.com
  • 36. Configuration • CI: Security Testing • Security Patches • Regularly scan/audit • Same config in Dev, Prod, QA* – (Docker is great for this!) • Externalize passwords/credentials * Except credentials of course Learn more at Stormpath.com
  • 37. Storage Learn more at Stormpath.com
  • 38. Storage • Sensitive data encrypted at rest • Encrypt offsite backups • Strong algorithms/standards • Strong encryption keys and key mgt • Strong password hashing • External key storage • Encrypted file system (e.g. eCryptfs) Learn more at Stormpath.com
  • 39. Thank You! • les@stormpath.com • Twitter: @lhazlewood • https://stormpath.com Learn more at Stormpath.com
  • 40. .com • Free for developers • Eliminate months of development • Automatic security best practices Sign Up Now: Stormpath.com Learn more at Stormpath.com