API Security in Action video edition

API Security in Action video edition

by Neil Madden
Released November 2020
Publisher(s): Manning Publications
ISBN: None

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Video description

In Video Editions the narrator reads the book while the content, figures, code listings, diagrams, and text appear on the screen. Like an audiobook that you can also watch as a video.

A comprehensive guide to designing and implementing secure services. A must-read book for all API practitioners who manage security.
Gilberto Taccari, Penta

A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.

about the technology

APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs—including microservices and cloud-native applications—demand a comprehensive, multi-layered approach to security for both private and public-facing APIs.

about the book

API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you’re done, you’ll be able to create APIs that stand up to complex threat models and hostile environments.

what's inside

  • Authentication
  • Authorization
  • Audit logging
  • Rate limiting
  • Encryption

about the audience

For developers with experience building RESTful APIs. Examples are in Java.

about the author

Neil Madden has in-depth knowledge of applied cryptography, application security, and current API security technologies. He holds a Ph.D. in Computer Science.

Anyone who wants an in-depth understanding of API security should read this.
Bobby Lin, DBS Bank

I highly recommend this book to those developing APIs.
Jorge Bo, Naranja X

The best comprehensive guide about API security I have read.
Marc Roulleau, GIRO

NARRATED BY MARIANNE SHEEHAN

Table of contents

  1. Part 1. Foundations
  2. Chapter 1 What is API security?
  3. Chapter 1 What is an API?
  4. Chapter 1 API security in context
  5. Chapter 1 Elements of API security
  6. Chapter 1 Environments and threat models
  7. Chapter 1 Security mechanisms
  8. Chapter 1 Audit logging
  9. Chapter 2 Secure API development
  10. Chapter 2 Implementation overview
  11. Chapter 2 Developing the REST API
  12. Chapter 2 Injection attacks
  13. Chapter 2 Preventing injection attacks
  14. Chapter 2 Input validation
  15. Chapter 2 Producing safe output
  16. Chapter 2 Preventing XSS
  17. Chapter 3 Securing the Natter API
  18. Chapter 3 Rate-limiting with Guava
  19. Chapter 3 Authentication to prevent spoofing
  20. Chapter 3 Creating the password database
  21. Chapter 3 Authenticating users
  22. Chapter 3 Using encryption to keep data private
  23. Chapter 3 Audit logging for accountability
  24. Chapter 3 Access control
  25. Chapter 3 Adding new members to a Natter space
  26. Part 2. Token-based authentication
  27. Chapter 4 Session cookie authentication
  28. Chapter 4 Serving the HTML from the same origin
  29. Chapter 4 Drawbacks of HTTP authentication
  30. Chapter 4 Token-based authentication
  31. Chapter 4 Session cookies
  32. Chapter 4 Cookie security attributes
  33. Chapter 4 Preventing Cross-Site Request Forgery attacks
  34. Chapter 4 Hash-based double-submit cookies
  35. Chapter 4 Double-submit cookies for the Natter API
  36. Chapter 4 Building the Natter login UI
  37. Chapter 4 Implementing logout
  38. Chapter 5 Modern token-based authentication
  39. Chapter 5 Adding CORS headers to the Natter API
  40. Chapter 5 Tokens without cookies
  41. Chapter 5 The Bearer authentication scheme
  42. Chapter 5 Storing tokens in Web Storage
  43. Chapter 5 Updating the CORS filter
  44. Chapter 5 Hardening database token storage
  45. Chapter 5 Protecting sensitive attributes
  46. Chapter 6 Self-contained tokens and JWTs
  47. Chapter 6 JSON Web Tokens
  48. Chapter 6 The JOSE header
  49. Chapter 6 Generating standard JWTs
  50. Chapter 6 Encrypting sensitive attributes
  51. Chapter 6 Authenticated encryption with NaCl
  52. Chapter 6 Encrypted JWTs
  53. Chapter 6 Using a JWT library
  54. Chapter 6 Using types for secure API design
  55. Chapter 6 Handling token revocation
  56. Part 3. Authorization
  57. Chapter 7 OAuth2 and OpenID Connect
  58. Chapter 7 The difference between scopes and permissions
  59. Chapter 7 Introducing OAuth2
  60. Chapter 7 The Authorization Code grant
  61. Chapter 7 Hardening code exchange with PKCE
  62. Chapter 7 Validating an access token
  63. Chapter 7 Securing the HTTPS client configuration
  64. Chapter 7 JWT access tokens
  65. Chapter 7 Encrypted JWT access tokens
  66. Chapter 7 Single sign-on
  67. Chapter 7 Hardening OIDC
  68. Chapter 8 Identity-based access control
  69. Chapter 8 LDAP groups
  70. Chapter 8 Role-based access control
  71. Chapter 8 Static roles
  72. Chapter 8 Attribute-based access control
  73. Chapter 8 Implementing ABAC decisions
  74. Chapter 8 Distributed policy enforcement and XACML
  75. Chapter 9 Capability-based security and macaroons
  76. Chapter 9 Capabilities and REST
  77. Chapter 9 Capabilities as URIs
  78. Chapter 9 Using capability URIs in the Natter API
  79. Chapter 9 HATEOAS
  80. Chapter 9 Capability URIs for browser-based clients
  81. Chapter 9 Hardening capability URIs
  82. Chapter 9 Macaroons: Tokens with caveats
  83. Chapter 9 A macaroon token store
  84. Chapter 9 Third-party caveats
  85. Part 4. Microservice APIs in Kubernetes
  86. Chapter 10 Microservice APIs in Kubernetes
  87. Chapter 10 Deploying Natter on Kubernetes
  88. Chapter 10 Building H2 database as a Docker container
  89. Chapter 10 Deploying the database to Kubernetes
  90. Chapter 10 Building the Natter API as a Docker container
  91. Chapter 10 The link-preview microservice
  92. Chapter 10 Preventing SSRF attacks
  93. Chapter 10 DNS rebinding attacks
  94. Chapter 10 Securing communications with TLS
  95. Chapter 10 Using a service mesh for TLS
  96. Chapter 10 Locking down network connections
  97. Chapter 10 Securing incoming requests
  98. Chapter 11 Securing service-to-service APIs
  99. Chapter 11 The OAuth2 client credentials grant
  100. Chapter 11 The JWT bearer grant for OAuth2
  101. Chapter 11 Generating the JWT
  102. Chapter 11 Mutual TLS authentication
  103. Chapter 11 Verifying client identity
  104. Chapter 11 Using a service mesh
  105. Chapter 11 Certificate-bound access tokens
  106. Chapter 11 Managing service credentials
  107. Chapter 11 Key and secret management services
  108. Chapter 11 Avoiding long-lived secrets on disk
  109. Chapter 11 Key derivation
  110. Chapter 11 Service API calls in response to user requests
  111. Chapter 11 OAuth2 token exchange
  112. Chapter 11.OAuth2 token exchange
  113. Part 5. APIs for the Internet of Things
  114. Chapter 12 Securing IoT communications
  115. Chapter 12 Datagram TLS
  116. Chapter 12 Datagram TLS
  117. Chapter 12 Datagram TLS
  118. Chapter 12 Cipher suites for constrained devices
  119. Chapter 12 Cipher suites for constrained devices
  120. Chapter 12 Cipher suites for constrained devices
  121. Chapter 12 Pre-shared keys
  122. Chapter 12 The PSK client
  123. Chapter 12 End-to-end security
  124. Chapter 12 COSE
  125. Chapter 12 Alternatives to COSE
  126. Chapter 12 Misuse-resistant authenticated encryption
  127. Chapter 12 Misuse-resistant authenticated encryption
  128. Chapter 12 Key distribution and management
  129. Chapter 12 Ratcheting for forward secrecy
  130. Chapter 12 Post-compromise security
  131. Chapter 13 Securing IoT APIs
  132. Chapter 13 Device certificates
  133. Chapter 13 End-to-end authentication
  134. Chapter 13 OSCORE
  135. Chapter 13 Avoiding replay in REST APIs
  136. Chapter 13 OAuth2 for constrained environments
  137. Chapter 13 OAuth2 for constrained environments
  138. Chapter 13 Offline access control
  139. Chapter 13 Offline authorization

Product information

  • Title: API Security in Action video edition
  • Author(s): Neil Madden
  • Release date: November 2020
  • Publisher(s): Manning Publications
  • ISBN: None