P. De Ryck: Common API Security Pitfalls

oz, 2022-06-07

This list is a compiled from the Devoxx Belgium 2017 talk.


(read: don't do this!)

1. "Allowing access to your API over HTTP"

2. "Not rate limiting calls to your API"

Possible strategies:

Use HTTP 429 Too Many Requests and Retry-After: 3600

3. "Using insecure direct object references"

-> always combine basic authentication check with authorization checks (resource ownership)

4. "Mishandling client-side session data"

-> Client-side session data can be read and manipulated, so you need to ensure confidentiality and integrity

5. "Not verifying the integrity of your JWTs"

-> Only use JWT libraries that verify its integrity (esp. in the backend)

6. "Using the wrong signature scheme on JWTs"

-> Use shared secrets for verifying JWTs only within your app boundaries. Otherwise use a public/private key pair

7. "Not propagating identity information"

Pass all relevant identity information to downstream services to enable them to do authorization decisions and to create an audit trail!

8. "Minimizing the impact of the transport mechanism"

-> understand pros/cons of cookies vs. authorization header for your app

9. "Underestimating the importance of CSRF"

10. "Insecure CORS configuration / implementation"

Common misconfigurations:

-> don't allow more access than necessary!

11. "Lack of input validation"

Best practices:

12. "Relying on input validation"

Question Everything