book

Secure APIs

Name: Secure APIs
Author: Jose Haro
ISBN: 9781633436633

by Jose Haro

October 2025

Intermediate to advanced

376 pages

11h 39m

English

Manning Publications

Read now

Unlock full access

Secure APIs
copyright
contents
dedication
foreword
preface
acknowledgments
about this book
about the author
about the cover illustration

1 What is API security?
1.1 What is API security?1.2 What is API security by design?1.2.1 Design1.2.2 Implementation1.2.3 Infrastructure1.3 Why is API security important?1.4 Unexpected vectors of attack1.5 How API security fits into the API development cycle1.6 The rapidly changing landscape of API security1.7 Who this book is for and what you will learn
2 Aligning API security with your organization
2.1 Evaluating your API security posture2.2 Threat modeling is a team sport2.2.1 Application decomposition2.2.2 Threat identification and ranking2.2.3 Response and mitigations2.2.4 Review and validation2.3 Act now!2.3.1 Document your APIs2.3.2 Strengthen authentication and authorization2.3.3 Use proper API libraries2.3.4 Use cloud protection tools2.4 Creating an API security program2.5 Aligning API security with your organization2.6 Navigating API security audits
3 API security principles
3.1 Shift-left API security3.2 Zero-trust APIs3.3 Validate everything3.4 No such thing as an internal API3.5 You can’t protect what you don’t know3.6 DevSecOps for APIs
4 Top API authentication and authorization vulnerabilities
4.1 Running the code examples4.2 Broken object-level authorization4.3 A practical example of BOLA4.4 Broken authentication4.5 A practical example of broken authentication4.6 Broken object property level authorization4.6.1 Mass assignment4.6.2 Excessive data exposure4.6.3 Practical example of excessive data exposure4.7 Broken function-level authorization4.8 A practical example of preventing BFLA4.9 Unrestricted access to sensitive business flows4.10 A practical example of mitigating abuse of vulnerable business flows
5 Top API configuration and management vulnerabilities
5.1 Unrestricted resource consumption5.1.1 Fending off a DoS attack5.1.2 Addressing unrestricted resource consumption with code5.2 Server-side request forgery5.3 A practical example of mitigating SSRF5.4 Security misconfiguration5.5 A practical example of mitigating security misconfiguration5.6 Improper inventory management5.7 Unsafe consumption of APIs5.8 Addressing unsafe consumption of APIs in practice
6 API security by design
6.1 What is vulnerable API design?6.2 Predictable identifiers6.3 Unconstrained user input6.4 Flexible schemas6.4.1 Optional properties6.4.2 Additional properties6.5 Exposing server-side properties in user input6.6 Designing safe user flows
7 API authorization and authentication
7.1 Authentication vs. authorization7.2 Understanding JSON Web Tokens7.2.1 JWTs defined7.2.2 Structure and representation of JWTs7.3 Understanding Open Authorization7.4 Understanding OAuth flows7.4.1 Authorization code flow7.4.2 Protecting authorization requests with proof of key exchange7.4.3 Client credentials flow7.4.4 Device authorization flow7.4.5 Refresh token flow7.5 Sender-constrained tokens7.5.1 Using mTLS for certificate-bound tokens7.5.2 Demonstrating proof of possession7.6 Understanding OpenID Connect7.7 Understanding role-based access controls
8 Implementing API authentication and authorization
8.1 Documenting authenticated endpoints with OpenAPI8.2 Issuing JWTs8.3 Validating JWTs8.4 Integrating with an OpenID Connect provider8.4.1 Logging in users and issuing access tokens with an OIDC provider8.4.2 Validating access tokens issued by an OIDC provider8.5 Adding authorization middleware8.6 Implementing role-based access controls
9 Secure API infrastructure
9.1 API gateways9.2 Secure network topologies9.3 Protecting against layers 3–6 attacks9.4 Fending off malicious traffic with WAFs
10 Financial-grade APIs
10.1 What is open banking?10.2 What is FAPI?10.3 Understanding FAPI’s attacker model10.4 Securing APIs with FAPI 2.0’s security profile10.5 Securing authorization requests10.6 Message signing
11 Observability for API security
11.1 What is API observability?11.2 Logs, traces, and metrics11.3 Instrumenting APIs11.4 Logging custom events11.5 Detecting input-based attacks11.6 Detecting endpoint abuse attacks
12 Testing API security
12.1 Designing an API security testing strategy12.2 Discovering design security flaws in our APIs12.3 Using fuzzing and contract testing12.4 Automating access control tests12.5 Testing business flow vulnerabilities
appendix A API security checklist
A.1 DesignA.2 ImplementationA.3 Authentication and authorizationA.4 InfrastructureA.5 Observability
appendix B Setting up Auth0 for authentication and authorization
appendix C API security RFCs and learning resources
C.1 Important RFCsC.1.1 JSON Web Tokens (JWT)C.1.2 Open Authorization (OAuth)C.1.3 OpenID ConnectC.1.4 FAPIC.2 Learning resources
references

Content preview from Secure APIs

9 Secure API infrastructure

This chapter covers

Improving API management with API gateways
Configuring secure network topologies
Protecting APIs from attacks against OSI layers 3–6
Preventing application-level attacks with web application firewalls

When we are ready to deploy our APIs, we have to think about how to protect the infrastructure in which they’re going to operate. In previous chapters, you learned how to make APIs secure by design, implement robust authentication and authorization systems, and so on. These techniques help prevent application-level attacks. As you’ll learn in this chapter, other forms of attacks target lower levels of the networking stack, such as port scanning and denial-of-service (DoS) attacks, which can ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781633436633Publisher Support Publisher Website Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Secure APIs

by Jose Haro