Chapter 3. API Security

Security is a critical element of any web application, particularly so for APIs. New security issues and vulnerabilities are always being discovered, and it’s important to protect your APIs from attacks. A security breach can be disastrous—poor security implementations can lead to loss of critical data as well as revenue.

To ensure an application is secure, there are many things engineers tend to do. This includes input validation, using the Secure Sockets Layer (SSL) protocol everywhere, validating content types, maintaining audit logs, and protecting against cross-site request forgery (CSRF) and cross-site scripting (XSS). All of these are important for any web application, and you should be doing them. Beyond these typical web application security practices, there are additional techniques that apply specifically to web APIs that you expose to developers outside your company. In this chapter, we look closely at those best practices and how companies are securing APIs in practice.

Authentication and Authorization

Authentication and authorization are two foundation elements of security:


The process of verifying who you are. Web applications usually accomplish this by asking you to log in with a username and password. This combination is checked against an existing valid username/password record to ensure the request is authentic.


The process of verifying that you are permitted to do what you are trying to do. For instance, ...

Get Designing Web APIs now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.