CW

API Security

Application SecurityFree Lesson

Advertisement

API Security

OAuth, API gateways, rate limiting, input validation, and API vulnerabilities.

Overview

API security protects web services from attacks and abuse.

API Vulnerabilities

VulnerabilityDescriptionMitigation
Broken AuthWeak authenticationMFA, token validation
Excessive DataOver-fetchingField filtering
Rate LimitingNo throttlingAPI throttling
InjectionInput attacksValidation, sanitization
Mass AssignmentOver-postingInput filtering

OAuth 2.0 Implementation

# OAuth token validation
import jwt

def validate_token(token):
    try:
        payload = jwt.decode(
            token,
            public_key,
            algorithms=['RS256'],
            audience='api.example.com'
        )
        return payload
    except jwt.ExpiredSignatureError:
        raise Exception("Token expired")
    except jwt.InvalidTokenError:
        raise Exception("Invalid token")

API Gateway Configuration

# Kong API Gateway
services:
  - name: user-service
    url: http://user-service:8080
    routes:
      - name: user-api
        paths: ["/api/users"]
        plugins:
          - name: rate-limiting
            config:
              minute: 100
          - name: jwt
            config:
              claims_to_verify: [exp]

Rate Limiting

# Token bucket algorithm
import time

class RateLimiter:
    def __init__(self, rate, capacity):
        self.rate = rate
        self.capacity = capacity
        self.tokens = capacity
        self.last_update = time.time()
    
    def allow_request(self):
        now = time.time()
        elapsed = now - self.last_update
        self.tokens = min(self.capacity, self.tokens + elapsed * self.rate)
        self.last_update = now
        
        if self.tokens >= 1:
            self.tokens -= 1
            return True
        return False

Input Validation

# Pydantic validation
from pydantic import BaseModel, EmailStr

class UserCreate(BaseModel):
    username: str
    email: EmailStr
    age: int
    
    class Config:
        orm_mode = True
        
    @validator('username')
    def username_alphanumeric(cls, v):
        if not v.isalnum():
            raise ValueError('Username must be alphanumeric')
        return v

API Security Headers

Architecture Diagram
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'

Practice

Secure an API with OAuth, rate limiting, and input validation.

Advertisement

20 Container Security22 Incident Response Plan

Need Expert Cybersecurity Help?

Get personalized security training or professional consulting.

Contact Us →View Services

Advertisement