We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.
2. .com
• User Management and Authentication
API
• Security for your applications
• User security workflows
• Security best practices
• Developer tools, SDKs, libraries
7. 3. Resubmit Request
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Learn more at Stormpath.com
8. Authorization Header Format
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Scheme Name Scheme-specific Value
sp
Learn more at Stormpath.com
9. 4. Successful Response
HTTP/1.1 200 OK
Content-Type: application/json
...
{
“email”: “jsmith@gmail.com”,
“givenName”: “Joe”,
“surname”: Smith”,
...
}
Learn more at Stormpath.com
10. Example: Oauth 1.0a
GET /accounts/1234 HTTP/1.1
Host: api.acme.com
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131200",
oauth_nonce="wIjqoS",
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"
Learn more at Stormpath.com
11. Example: Oauth 2
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: Bearer mF_9.B5f-4.1JqM
Learn more at Stormpath.com
12. Example: Oauth 2 MAC
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: MAC id="h480djs93hd8",
nonce="264095:dj83hs9s”,
mac="SLDJd4mg43cjQfElUs3Qub4L6xE="
Learn more at Stormpath.com
13. Ok, now that’s out of the way
• Please avoid Basic Authc if you can.
• Favor HMAC-SHA256 digest algorithms over
bearer token algorithms
• Use Oauth 1.0a or Oauth 2 (preferably MAC)
• Only use a custom scheme if you really,
really know what you’re doing.
Learn more at Stormpath.com
15. 401 vs 403
• 401 “Unauthorized” really means
Unauthenticated
“You need valid credentials for me to respond to
this request”
• 403 “Forbidden” really means Unauthorized
“I understood your credentials, but so sorry, you’re
not allowed!”
Learn more at Stormpath.com
17. HTTP Authorization
• After authc, perform authz
• Filter requests before invoking MVC layer
• Blanket security policies
• Per-URI customization
Learn more at Stormpath.com
18. HTTP Authorization: OAuth
• OAuth is an authorization protocol, NOT
an authentication or SSO protocol.
• “Can I see User X’s email address please?”
NOT:
• “I want to authenticate User X w/ this
username and password”
• People still try to use OAuth for
authentication (OpenId Connect)
Learn more at Stormpath.com
19. HTTP Authorization: OAuth
• When OAuth 2 is a good fit:
• If your REST clients do NOT own the data
they are attempting to read
• When Oauth 2 isn’t as good of a fit:
• If your REST client owns the data it is
reading
• Could still be fine if you’re willing to incur
some additional overhead
Learn more at Stormpath.com
20. HTTP Authorization: JWT
• JWT = JSON Web Token
• Very new spec, but clean & simple
• JWTs can be digitally signed and/or
encrypted, and are URL friendly.
• Can be used as Bearer Tokens and for SSO
Learn more at Stormpath.com
23. API Keys, Not Passwords
• Entropy
• Independence
• Speed
• Reduced Exposure
• Traceability
• Rotation
Learn more at Stormpath.com
24. API Keys cont’d
• Authenticate every request
• Encrypt API Key secret values at rest.
• Avoid Sessions (not RESTful)
• Authc every request + no sessions = no
XSRF attacks
Learn more at Stormpath.com
27. Identifiers
• Should be opaque
• Secure Random or Random/Time UUID
• URL-friendly ‘Base62’ encoding
• Avoid sequential numbers:
• distribute ID generation load
• mitigate fusking attacks
Learn more at Stormpath.com
29. Query Injection
Vulnerable URL:
foo.com/accounts?acctId=‘ or ‘1’=‘1
String query =
“select * from accounts where acct_id = ‘” +
request.getParameter(“acctId”) + “’”;
Solution
• Use Parameterized Query API (Prepared
Statements).
• If not available, escape special chars
Learn more at Stormpath.com
31. Redirects and Forwards
• Avoid redirects and forwards if possible
• If used, validate the value and ensure
authorized for the current user.
foo.com/redirect.jsp?url=evil.com
foo.com/whatever.jsp?fwd=admin.jsp
Learn more at Stormpath.com
33. TLS
• Use TLS for everything
• Once electing to TLS:
– Never revert
– Never switch back and forth
• Cookies: set the ‘secure’ and ‘httpOnly’
flags for secure cookies
• Backend/infrastructure connections use
TLS too
Learn more at Stormpath.com
34. TLS Cont’d
• Configure your SSL provider to only support
strong (FIPS 140-2 compliant) algorithms
• Use Cipher Suites w/ Perfect Forward
Secrecy!
–e.g.
ECDHE_RSA_WITH_AES_256_GCM_SHA256
• Keep your TLS certificates valid
• But beware, TLS isn’t foolproof
– App-level encryption + TLS for most secure
results
Learn more at Stormpath.com
36. Configuration
• CI: Security Testing
• Security Patches
• Regularly scan/audit
• Same config in Dev, Prod, QA*
– (Docker is great for this!)
• Externalize passwords/credentials
* Except credentials of course
Learn more at Stormpath.com
40. .com
• Free for developers
• Eliminate months of development
• Automatic security best practices
Sign Up Now: Stormpath.com
Learn more at Stormpath.com