book

API Security in Action

Name: API Security in Action
Author: Neil Madden
ISBN: 9781617296024

by Neil Madden

January 2021

Intermediate to advanced

576 pages

18h 9m

English

Manning Publications

Read now

Unlock full access

API Security in Action
Copyright
contents
front matter
prefaceacknowledgmentsabout this bookWho should read this bookHow this book is organized: A roadmapAbout the codeliveBook discussion forumOther online resourcesabout the authorabout the cover illustration
Part 1. Foundations
1 What is API security?
1.1 An analogy: Taking your driving test1.2 What is an API?1.2.1 API styles1.3 API security in context1.3.1 A typical API deployment1.4 Elements of API security1.4.1 Assets1.4.2 Security goals1.4.3 Environments and threat models1.5 Security mechanisms1.5.1 Encryption1.5.2 Identification and authentication1.5.3 Access control and authorization1.5.4 Audit logging1.5.5 Rate-limitingAnswers to pop quiz questionsSummary
2 Secure API development
2.1 The Natter API2.1.1 Overview of the Natter API2.1.2 Implementation overview2.1.3 Setting up the project2.1.4 Initializing the database2.2 Developing the REST API2.2.1 Creating a new space2.3 Wiring up the REST endpoints2.3.1 Trying it out2.4 Injection attacks2.4.1 Preventing injection attacks2.4.2 Mitigating SQL injection with permissions2.5 Input validation2.6 Producing safe output2.6.1 Exploiting XSS Attacks2.6.2 Preventing XSS2.6.3 Implementing the protectionsAnswers to pop quiz questionsSummary
3 Securing the Natter API
3.1 Addressing threats with security controls3.2 Rate-limiting for availability3.2.1 Rate-limiting with Guava3.3 Authentication to prevent spoofing3.3.1 HTTP Basic authentication3.3.2 Secure password storage with Scrypt3.3.3 Creating the password database3.3.4 Registering users in the Natter API3.3.5 Authenticating users3.4 Using encryption to keep data private3.4.1 Enabling HTTPS3.4.2 Strict transport security3.5 Audit logging for accountability3.6 Access control3.6.1 Enforcing authentication3.6.2 Access control lists3.6.3 Enforcing access control in Natter3.6.4 Adding new members to a Natter space3.6.5 Avoiding privilege escalation attacksAnswers to pop quiz questionsSummary
Part 2. Token-based authentication
4 Session cookie authentication
4.1 Authentication in web browsers4.1.1 Calling the Natter API from JavaScript4.1.2 Intercepting form submission4.1.3 Serving the HTML from the same origin4.1.4 Drawbacks of HTTP authentication4.2 Token-based authentication4.2.1 A token store abstraction4.2.2 Implementing token-based login4.3 Session cookies4.3.1 Avoiding session fixation attacks4.3.2 Cookie security attributes4.3.3 Validating session cookies4.4 Preventing Cross-Site Request Forgery attacks4.4.1 SameSite cookies4.4.2 Hash-based double-submit cookies4.4.3 Double-submit cookies for the Natter API4.5 Building the Natter login UI4.5.1 Calling the login API from JavaScript4.6 Implementing logoutAnswers to pop quiz questionsSummary

5 Modern token-based authentication
5.1 Allowing cross-domain requests with CORS5.1.1 Preflight requests5.1.2 CORS headers5.1.3 Adding CORS headers to the Natter API5.2 Tokens without cookies5.2.1 Storing token state in a database5.2.2 The Bearer authentication scheme5.2.3 Deleting expired tokens5.2.4 Storing tokens in Web Storage5.2.5 Updating the CORS filter5.2.6 XSS attacks on Web Storage5.3 Hardening database token storage5.3.1 Hashing database tokens5.3.2 Authenticating tokens with HMAC5.3.3 Protecting sensitive attributesAnswers to pop quiz questionsSummary
6 Self-contained tokens and JWTs
6.1 Storing token state on the client6.1.1 Protecting JSON tokens with HMAC6.2 JSON Web Tokens6.2.1 The standard JWT claims6.2.2 The JOSE header6.2.3 Generating standard JWTs6.2.4 Validating a signed JWT6.3 Encrypting sensitive attributes6.3.1 Authenticated encryption6.3.2 Authenticated encryption with NaCl6.3.3 Encrypted JWTs6.3.4 Using a JWT library6.4 Using types for secure API design6.5 Handling token revocation6.5.1 Implementing hybrid tokensAnswers to pop quiz questionsSummary
Part 3. Authorization
7 OAuth2 and OpenID Connect
7.1 Scoped tokens7.1.1 Adding scoped tokens to Natter7.1.2 The difference between scopes and permissions7.2 Introducing OAuth27.2.1 Types of clients7.2.2 Authorization grants7.2.3 Discovering OAuth2 endpoints7.3 The Authorization Code grant7.3.1 Redirect URIs for different types of clients7.3.2 Hardening code exchange with PKCE7.3.3 Refresh tokens7.4 Validating an access token7.4.1 Token introspection7.4.2 Securing the HTTPS client configuration7.4.3 Token revocation7.4.4 JWT access tokens7.4.5 Encrypted JWT access tokens7.4.6 Letting the AS decrypt the tokens7.5 Single sign-on7.6 OpenID Connect7.6.1 ID tokens7.6.2 Hardening OIDC7.6.3 Passing an ID token to an APIAnswers to pop quiz questionsSummary
8 Identity-based access control
8.1 Users and groups8.1.1 LDAP groups8.2 Role-based access control8.2.1 Mapping roles to permissions8.2.2 Static roles8.2.3 Determining user roles8.2.4 Dynamic roles8.3 Attribute-based access control8.3.1 Combining decisions8.3.2 Implementing ABAC decisions8.3.3 Policy agents and API gateways8.3.4 Distributed policy enforcement and XACML8.3.5 Best practices for ABACAnswers to pop quiz questionsSummary
9 Capability-based security and macaroons
9.1 Capability-based security9.2 Capabilities and REST9.2.1 Capabilities as URIs9.2.2 Using capability URIs in the Natter API9.2.3 HATEOAS9.2.4 Capability URIs for browser-based clients9.2.5 Combining capabilities with identity9.2.6 Hardening capability URIs9.3 Macaroons: Tokens with caveats9.3.1 Contextual caveats9.3.2 A macaroon token store9.3.3 First-party caveats9.3.4 Third-party caveatsAnswers to pop quiz questionsSummary
Part 4. Microservice APIs in Kubernetes
10 Microservice APIs in Kubernetes
10.1 Microservice APIs on Kubernetes10.2 Deploying Natter on Kubernetes10.2.1 Building H2 database as a Docker container10.2.2 Deploying the database to Kubernetes10.2.3 Building the Natter API as a Docker container10.2.4 The link-preview microservice10.2.5 Deploying the new microservice10.2.6 Calling the link-preview microservice10.2.7 Preventing SSRF attacks10.2.8 DNS rebinding attacks10.3 Securing microservice communications10.3.1 Securing communications with TLS10.3.2 Using a service mesh for TLS10.3.3 Locking down network connections10.4 Securing incoming requestsAnswers to pop quiz questionsSummary
11 Securing service-to-service APIs
11.1 API keys and JWT bearer authentication11.2 The OAuth2 client credentials grant11.2.1 Service accounts11.3 The JWT bearer grant for OAuth211.3.1 Client authentication11.3.2 Generating the JWT11.3.3 Service account authentication11.4 Mutual TLS authentication11.4.1 How TLS certificate authentication works11.4.2 Client certificate authentication11.4.3 Verifying client identity11.4.4 Using a service mesh11.4.5 Mutual TLS with OAuth211.4.6 Certificate-bound access tokens11.5 Managing service credentials11.5.1 Kubernetes secrets11.5.2 Key and secret management services11.5.3 Avoiding long-lived secrets on disk11.5.4 Key derivation11.6 Service API calls in response to user requests11.6.1 The phantom token pattern11.6.2 OAuth2 token exchangeAnswers to pop quiz questionsSummary
Part 5. APIs for the Internet of Things
12 Securing IoT communications
12.1 Transport layer security12.1.1 Datagram TLS12.1.2 Cipher suites for constrained devices12.2 Pre-shared keys12.2.1 Implementing a PSK server12.2.2 The PSK client12.2.3 Supporting raw PSK cipher suites12.2.4 PSK with forward secrecy12.3 End-to-end security12.3.1 COSE12.3.2 Alternatives to COSE12.3.3 Misuse-resistant authenticated encryption12.4 Key distribution and management12.4.1 One-off key provisioning12.4.2 Key distribution servers12.4.3 Ratcheting for forward secrecy12.4.4 Post-compromise securityAnswers to pop quiz questionsSummary
13 Securing IoT APIs
13.1 Authenticating devices13.1.1 Identifying devices13.1.2 Device certificates13.1.3 Authenticating at the transport layer13.2 End-to-end authentication13.2.1 OSCORE13.2.2 Avoiding replay in REST APIs13.3 OAuth2 for constrained environments13.3.1 The device authorization grant13.3.2 ACE-OAuth13.4 Offline access control13.4.1 Offline user authentication13.4.2 Offline authorizationAnswers to pop quiz questionsSummary
appendix A. Setting up Java and Maven
A.1 Java and MavenA.1.1 macOSA.1.2 WindowsA.1.3 LinuxA.2 Installing DockerA.3 Installing an Authorization ServerA.3.1 Installing ForgeRock Access ManagementA.4 Installing an LDAP directory serverA.4.1 ForgeRock Directory Services
appendix B. Setting up Kubernetes
B.1 MacOSB.1.1 VirtualBoxB.1.2 MinikubeB.2 LinuxB.2.1 VirtualBoxB.2.2 MinikubeB.3 WindowsB.3.1 VirtualBoxB.3.2 Minikube
index

Overview

A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.

About the Technology
APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs—including microservices and cloud-native applications—demand a comprehensive, multi-layered approach to security for both private and public-facing APIs.

About the Book
API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you’re done, you’ll be able to create APIs that stand up to complex threat models and hostile environments.

What's Inside

Authentication
Authorization
Audit logging
Rate limiting
Encryption

About the Reader
For developers with experience building RESTful APIs. Examples are in Java.

About the Author
Neil Madden has in-depth knowledge of applied cryptography, application security, and current API security technologies. He holds a Ph.D. in Computer Science.

Quotes
A comprehensive guide to designing and implementing secure services. A must-read book for all API practitioners who manage security.
- Gilberto Taccari, Penta

Anyone who wants an in-depth understanding of API security should read this.
- Bobby Lin, DBS Bank

I highly recommend this book to those developing APIs.
- Jorge Bo, Naranja X

The best comprehensive guide about API security I have read.
- Marc Roulleau, GIRO

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Advanced API Security: OAuth 2.0 and Beyond

Publisher Resources

ISBN: 9781617296024Publisher Support Publisher Website

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills