Video description
In Video Editions the narrator reads the book while the content, figures, code listings, diagrams, and text appear on the screen. Like an audiobook that you can also watch as a video.
A comprehensive guide to designing and implementing secure services. A must-read book for all API practitioners who manage security.
Gilberto Taccari, Penta
A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.
about the technology
APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs—including microservices and cloud-native applications—demand a comprehensive, multi-layered approach to security for both private and public-facing APIs.
about the book
API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you’re done, you’ll be able to create APIs that stand up to complex threat models and hostile environments.
what's inside
- Authentication
- Authorization
- Audit logging
- Rate limiting
- Encryption
about the audience
For developers with experience building RESTful APIs. Examples are in Java.
about the author
Neil Madden has in-depth knowledge of applied cryptography, application security, and current API security technologies. He holds a Ph.D. in Computer Science.
Anyone who wants an in-depth understanding of API security should read this.Bobby Lin, DBS Bank
I highly recommend this book to those developing APIs.
Jorge Bo, Naranja X
The best comprehensive guide about API security I have read.
Marc Roulleau, GIRO
NARRATED BY MARIANNE SHEEHAN
Table of contents
- Part 1. Foundations
- Chapter 1 What is API security?
- Chapter 1 What is an API?
- Chapter 1 API security in context
- Chapter 1 Elements of API security
- Chapter 1 Environments and threat models
- Chapter 1 Security mechanisms
- Chapter 1 Audit logging
- Chapter 2 Secure API development
- Chapter 2 Implementation overview
- Chapter 2 Developing the REST API
- Chapter 2 Injection attacks
- Chapter 2 Preventing injection attacks
- Chapter 2 Input validation
- Chapter 2 Producing safe output
- Chapter 2 Preventing XSS
- Chapter 3 Securing the Natter API
- Chapter 3 Rate-limiting with Guava
- Chapter 3 Authentication to prevent spoofing
- Chapter 3 Creating the password database
- Chapter 3 Authenticating users
- Chapter 3 Using encryption to keep data private
- Chapter 3 Audit logging for accountability
- Chapter 3 Access control
- Chapter 3 Adding new members to a Natter space
- Part 2. Token-based authentication
- Chapter 4 Session cookie authentication
- Chapter 4 Serving the HTML from the same origin
- Chapter 4 Drawbacks of HTTP authentication
- Chapter 4 Token-based authentication
- Chapter 4 Session cookies
- Chapter 4 Cookie security attributes
- Chapter 4 Preventing Cross-Site Request Forgery attacks
- Chapter 4 Hash-based double-submit cookies
- Chapter 4 Double-submit cookies for the Natter API
- Chapter 4 Building the Natter login UI
- Chapter 4 Implementing logout
- Chapter 5 Modern token-based authentication
- Chapter 5 Adding CORS headers to the Natter API
- Chapter 5 Tokens without cookies
- Chapter 5 The Bearer authentication scheme
- Chapter 5 Storing tokens in Web Storage
- Chapter 5 Updating the CORS filter
- Chapter 5 Hardening database token storage
- Chapter 5 Protecting sensitive attributes
- Chapter 6 Self-contained tokens and JWTs
- Chapter 6 JSON Web Tokens
- Chapter 6 The JOSE header
- Chapter 6 Generating standard JWTs
- Chapter 6 Encrypting sensitive attributes
- Chapter 6 Authenticated encryption with NaCl
- Chapter 6 Encrypted JWTs
- Chapter 6 Using a JWT library
- Chapter 6 Using types for secure API design
- Chapter 6 Handling token revocation
- Part 3. Authorization
- Chapter 7 OAuth2 and OpenID Connect
- Chapter 7 The difference between scopes and permissions
- Chapter 7 Introducing OAuth2
- Chapter 7 The Authorization Code grant
- Chapter 7 Hardening code exchange with PKCE
- Chapter 7 Validating an access token
- Chapter 7 Securing the HTTPS client configuration
- Chapter 7 JWT access tokens
- Chapter 7 Encrypted JWT access tokens
- Chapter 7 Single sign-on
- Chapter 7 Hardening OIDC
- Chapter 8 Identity-based access control
- Chapter 8 LDAP groups
- Chapter 8 Role-based access control
- Chapter 8 Static roles
- Chapter 8 Attribute-based access control
- Chapter 8 Implementing ABAC decisions
- Chapter 8 Distributed policy enforcement and XACML
- Chapter 9 Capability-based security and macaroons
- Chapter 9 Capabilities and REST
- Chapter 9 Capabilities as URIs
- Chapter 9 Using capability URIs in the Natter API
- Chapter 9 HATEOAS
- Chapter 9 Capability URIs for browser-based clients
- Chapter 9 Hardening capability URIs
- Chapter 9 Macaroons: Tokens with caveats
- Chapter 9 A macaroon token store
- Chapter 9 Third-party caveats
- Part 4. Microservice APIs in Kubernetes
- Chapter 10 Microservice APIs in Kubernetes
- Chapter 10 Deploying Natter on Kubernetes
- Chapter 10 Building H2 database as a Docker container
- Chapter 10 Deploying the database to Kubernetes
- Chapter 10 Building the Natter API as a Docker container
- Chapter 10 The link-preview microservice
- Chapter 10 Preventing SSRF attacks
- Chapter 10 DNS rebinding attacks
- Chapter 10 Securing communications with TLS
- Chapter 10 Using a service mesh for TLS
- Chapter 10 Locking down network connections
- Chapter 10 Securing incoming requests
- Chapter 11 Securing service-to-service APIs
- Chapter 11 The OAuth2 client credentials grant
- Chapter 11 The JWT bearer grant for OAuth2
- Chapter 11 Generating the JWT
- Chapter 11 Mutual TLS authentication
- Chapter 11 Verifying client identity
- Chapter 11 Using a service mesh
- Chapter 11 Certificate-bound access tokens
- Chapter 11 Managing service credentials
- Chapter 11 Key and secret management services
- Chapter 11 Avoiding long-lived secrets on disk
- Chapter 11 Key derivation
- Chapter 11 Service API calls in response to user requests
- Chapter 11 OAuth2 token exchange
- Chapter 11.OAuth2 token exchange
- Part 5. APIs for the Internet of Things
- Chapter 12 Securing IoT communications
- Chapter 12 Datagram TLS
- Chapter 12 Datagram TLS
- Chapter 12 Datagram TLS
- Chapter 12 Cipher suites for constrained devices
- Chapter 12 Cipher suites for constrained devices
- Chapter 12 Cipher suites for constrained devices
- Chapter 12 Pre-shared keys
- Chapter 12 The PSK client
- Chapter 12 End-to-end security
- Chapter 12 COSE
- Chapter 12 Alternatives to COSE
- Chapter 12 Misuse-resistant authenticated encryption
- Chapter 12 Misuse-resistant authenticated encryption
- Chapter 12 Key distribution and management
- Chapter 12 Ratcheting for forward secrecy
- Chapter 12 Post-compromise security
- Chapter 13 Securing IoT APIs
- Chapter 13 Device certificates
- Chapter 13 End-to-end authentication
- Chapter 13 OSCORE
- Chapter 13 Avoiding replay in REST APIs
- Chapter 13 OAuth2 for constrained environments
- Chapter 13 OAuth2 for constrained environments
- Chapter 13 Offline access control
- Chapter 13 Offline authorization
Product information
- Title: API Security in Action video edition
- Author(s):
- Release date: November 2020
- Publisher(s): Manning Publications
- ISBN: None
You might also like
video
Microservices Security in Action video edition
A complete guide to the challenges and solutions in securing microservices architectures. Massimo Siani, FinDynamic Unlike …
audiobook
API Security in Action
A comprehensive guide to designing and implementing secure services. A must-read book for all API practitioners …
book
API Security in Action
A web API is an efficient way to communicate with an application or service. However, this …
book
Advanced API Security: OAuth 2.0 and Beyond
Prepare for the next wave of challenges in enterprise security. Learn to better protect, monitor, and …