The document discusses practical API security and provides recommendations for securing APIs. It recommends implementing defense in depth with layers of security including transport layer security, rate limiting, authentication, data validation, encryption, logging, and access control. It then goes into more detail about how to implement specific security measures like replay prevention, rate limiting, authentication methods, message and response validation, encrypting data at rest and in transit, and logging recommendations.

1. @adam_englander
Practical API Security
Adam Englander, Software Architect
iovation

2. @adam_englander
Let's set some expectations...

3. @adam_englander
What are we protecting against?

4. @adam_englander

5. @adam_englander
1: Injection

6. @adam_englander
2: Broken Authentication

7. @adam_englander
3: Sensitive Data Exposure

8. @adam_englander
4: XML External Entities (XXE)

9. @adam_englander
libxml_disable_entity_loader(true);

10. @adam_englander
Use defusedxml and
defusedexpat to protect lib.xml

11. @adam_englander
5: Broken Access Control

12. @adam_englander
6: Security Misconfiguration

13. @adam_englander
7: Cross-Site Scripting XSS

14. @adam_englander
8: Insecure Deserialization

15. @adam_englander
9: Using Components with Known
Vulnerabilities

16. @adam_englander
PHP Resources
• https://security.sensiolabs.org/
• roave/security-advisories package
• https://github.com/FriendsOfPHP/security-
advisories

17. @adam_englander
10: Insufficient Logging &
Monitoring

18. @adam_englander
How do we provide that
protection?

19. @adam_englander

20. @adam_englander
Defense in Depth
Transport Layer Security
Rate Limiting/Replay Prevention
Authentication
Data Validation
Data Encryption
Logging
Access Control

21. @adam_englander
Defense in Depth
Transport Layer Security
Rate Limiting/Replay Prevention
Authentication
Data Validation
Data Encryption
Logging
Access Control

22. @adam_englander
Defense in Depth
Transport Layer Security
Rate Limiting/Replay Prevention
Authentication
Data Validation
Data Encryption
Logging
Access Control

23. @adam_englander

24. @adam_englander

25. @adam_englander
Defense in Depth
Transport Layer Security
Rate Limiting/Replay Prevention
Authentication
Data Validation
Data Encryption
Logging
Access Control

26. @adam_englander
Replay prevention requires
unique requests

27. @adam_englander
Determine Uniqueness of Request
GET / HTTP/1.1
Accept: application/json

28. @adam_englander
Determine Uniqueness of Request
GET / HTTP/1.1
Accept: application/json
X-Nonce: 5ed518e8c5c51a64638b2b50c192242d

29. @adam_englander
Store that unique value in a
datastore so you can verify you
don't see it again

30. @adam_englander
Use the add function on the
cache to prevent race conditions

31. @adam_englander
Cache Example
if ($token === null) {
throw new AuthorizationRequiredException();
} elseif (!$this->cache->add(hash('sha512', $token), 1, 10)) {
throw new InvalidRequestException();
}

32. @adam_englander
Use insert on unique index for
RDBMS to prevent race
conditions

33. @adam_englander
Rate limiting requires unique
identification for restrictions

34. @adam_englander
api-user-id|create-widget|20:01
ebf4e1d4bb33e5f6028e8443d6a1d6aa

35. @adam_englander
Use the add and increment
functions of the cache to
prevent race conditions

36. @adam_englander
Cache Example
$key = sprintf("%s|root-post|%s", $userId, $timeSlice);
$this->cache->add($key, 0, 1);
$total = $this->cache->increment($key);

37. @adam_englander
Use insert with unique index
and update returning in RDBMS
to prevent race conditions

38. @adam_englander
Data stores can be done in
three ways.

39. @adam_englander
In Memory Datastore

40. @adam_englander
Local Datastore

41. @adam_englander
Global Datastore

42. @adam_englander
Defense in Depth
Transport Layer Security
Rate Limiting/Replay Prevention
Authentication
Data Validation
Data Encryption
Logging
Access Control

43. @adam_englander
Do not make authentication part
of the body

44. @adam_englander
Use the Authorization header

45. @adam_englander
HTTP Basic Authentication
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

46. @adam_englander
HTTP Digest Authentication
DO NOT USE!

47. @adam_englander
HTTP Bearer Authentication
Authorization: Bearer mF_9.B5f-4.1JqM

48. @adam_englander
Roll Your Own

49. @adam_englander
Many APIs do this

50. @adam_englander
What about never rolling your
own crypto?

51. @adam_englander
Single Use JWT

52. @adam_englander
No auth service required

53. @adam_englander
Can use existing JWT libraries
to create and validate

54. @adam_englander
Can be extended beyond auth
to provide data validation and
MITM protection

55. @adam_englander
Defense in Depth
Transport Layer Security
Rate Limiting/Replay Prevention
Authentication
Data Validation
Data Encryption
Logging
Access Control

56. @adam_englander
Message Validation

57. @adam_englander
Request Validation

58. @adam_englander
Method Validation
GET /user/abc HTTP/1.1
Accept: application/json

59. @adam_englander
Method Validation
DELETE /user/abc HTTP/1.1
Accept: application/json

60. @adam_englander
Path Validation
GET /user/abc HTTP/1.1
Accept: application/json

61. @adam_englander
Path Validation
GET /user/def HTTP/1.1
Accept: application/json

62. @adam_englander
Body Validation
PATCH /user/abc HTTP/1.1
{"email": "valid@user.com"}

63. @adam_englander
Body Validation
PATCH /user/abc HTTP/1.1
{"email": "pwned@hkr.com"}

64. @adam_englander
Response Validation

65. @adam_englander
Status Code Validation
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 21
{"expected": "value"}

66. @adam_englander
Status Code Validation
HTTP/1.1 400 Invalid Request
Content-Type: application/json; charset=UTF-8
Content-Length: 21
{"expected": "value"}

67. @adam_englander
Status Code Validation
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 21
{"expected": "value"}

68. @adam_englander
Status Code Validation
HTTP/1.1 301 Moved
Content-Type: application/json; charset=UTF-8
Content-Length: 21
Location: https://bad.actor.com
{"expected": "value"}

69. @adam_englander
Header Validation
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 21
Cache-Control: no-cache
{"expected": "value"}

70. @adam_englander
Header Validation
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 21
Cache-Control: max-age=99999999
{"expected": "value"}

71. @adam_englander
Data Validation
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 21
{"active": false}

72. @adam_englander
Data Validation
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 21
{"active": true}

73. @adam_englander
Validation of request data

74. @adam_englander
Defense in Depth
Transport Layer Security
Rate Limiting/Replay Prevention
Authentication
Data Validation
Data Encryption
Logging
Access Control

75. @adam_englander
Encrypt Data at Rest

76. @adam_englander
Use a structure format that
allows for in-place key rotation
and nonce storage

77. @adam_englander
COSE
CBOR Object Signing and Encryption (COSE)
Concise Binary Object Representation (CBOR)

78. @adam_englander
Roll Your Own
keyid|nonce|encrypted-data

79. @adam_englander
Encrypt Data in Transit

80. @adam_englander
WW?D

81. @adam_englander
JSON Web Encryption

82. @adam_englander
Log Everything

83. @adam_englander
Log in a structured format for
easier parsing

84. @adam_englander
Log all pertinent actions

85. @adam_englander
Include all data regarding state.
Anonymize sensitive data.

86. @adam_englander
Include origin data to identify
bad actors.

87. @adam_englander
Utilize tools like ELK or Greylog
to aggregate logs

88. @adam_englander
Determine anomalous conditions
and alert on those conditions.

89. @adam_englander
And now a demonstration...

90. @adam_englander
https://joind.in/talk/9895f