API Security Checklist

  • Use HTTPS to protect sensitive data (authentication credentials, API Keys, etc.) in transit.
  • Authentication/Authorisation: Make sure the endpoints are protected with proper access levels.
  • GET methods are an easy target for attackers. So never perform an operation that changes the state of your application in a GET method.
  • Protect your API agains CSRF (Cross-Site Request Forgery) attacks.
  • Make sure your API is not vulnerable to XSS (Cross-Site Scripting) attacks.
  • Sign JWT (JSON Web Tokens) securely preferably using secrets.
  • Use API Keys for every request.
  • Treat Management Endpoints differently than normal ones, by enforcing stronger security policies (e.g. multi-factor authentication.
  • Handle exceptions decently so that technical error details are not exposed to clients.
  • Use SOP (Same-Origin Policy) and disable CORS if it’s not needed. When enabling CORS, be as specific as possible.
  • Do not put any sensitive information in the URL params as they can be logged by servers. Put them in the request header or body.
  • When setting cookies, use Secure and HttpOnly. Also restrict the scope of cookies.
  • Any input or data being imported may eventually end up in users’s browsers as part of an HTML page and you don’t want to send a malicious script to the them. Validating input and imported data is one of the ways to prevent clickjacking, XSS or stored CSRF flaws.
  • Any input or data being imported may also end up being inserted into your database, so make sure your application is protected against SQL Injection attacks.
  • Set response Content-Type header properly to mach the response MIME type and disable MIME type sniffing (nosniff).
Advertisements

Leave your comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s