Web api security
•Download as PPTX, PDF•
0 likes•86 views
This document discusses web APIs and REST APIs. It provides examples of common web APIs like weather, Google Maps, and Twitter APIs. It then discusses security concerns around REST APIs like data interception, DDoS attacks, and farming. It recommends using HTTPS, authentication, access control, and JSON Web Tokens (JWTs) for security. It also mentions the importance of format checking, strong business logic, and proper API design.
Report
Share
Report
Share
Recommended
Building systems with rest
Building Systems with REST discusses how HTTP differs from RPC and how it enables intermediaries through its use of resources and representations. The document outlines how HTTP is a transfer protocol rather than a transport protocol and how following its semantics allows functionality through firewalls. It advocates for building systems according to REST principles by decoupling concerns and focusing on resources, representations, and hypermedia.
Smart Contracts: From Zero to Dapp Hero | Hedera18
YouTube Video
https://youtu.be/zmFU54Apyn8
Speaker
John Gethoefer | Principal Software Engineer | Bumped, Inc.
Abstract
Get started with Smart Contracts and the Solidity™ language. In this presentation, you'll receive an introduction to Solidity, a programming language for creating smart contracts for Ethereum and Hedera Hashgraph. You will learn step-by-step procedures to creating a simple smart contract and explore best practices for testing and developing distributed applications (Dapps).
Realtime web open house
This document discusses SignalR, an open source library for ASP.NET developers building real-time web functionality. SignalR provides a simple API for adding real-time web functionality to applications, abstracting how real-time connections are established and messages transferred so that it works across technologies like web sockets, forever frames and server-sent events. It supports self-hosting, scaling out, and has clients for .NET, JavaScript and other platforms. SignalR can be used to call client methods from the server and vice versa, enabling two-way communication applications.
Api Gateway - What's the use of an api gateway?
Slide made for the meetup microservice at Paris, France. It describes the use of an api gateway in a microservice architecture.
Feel free to comment through @meetup_ms_paris #microservice
API Security Best Practices & Guidelines
This document provides API security best practices and guidelines. It discusses defining APIs and who may access them, such as employees, partners, customers or the general public. Authentication can be direct, using credentials, or brokered, using a third party. Best practices include using TLS, strong credentials, short-lived tokens, and throttling access. The guidelines aim to prevent attacks like CSRF, authorization code interception, and brute force attacks through measures like state parameters, PKCE, and long random tokens.
Webinar - Build a decentralized app with the Hedera Cryptocurrency API
1. The document discusses building decentralized apps using Hedera's Cryptocurrency API and the open source Payper project.
2. Payper enables micro-payments for API-based digital assets through a payment gateway and powers payment-enabled front-end components.
3. Hedera's Cryptocurrency API provides a platform for Payper, offering fast, fair, and low-fee cryptocurrency transactions capable of scaling to millions per second with finality in seconds.
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Managing the usage of Asynchronous APIs: What does it take?
Sanjeewa Malalgoda, Architect & Associate Director at WSO
Gravitee.io
This session is all about Gravitee.io that consists of two modules: Gravitee.io Access Management, which is responsible for providing Authentication and Authorization with help of OAuth2.0 and OpenID Connect, and Gravitee.io API Management, which is responsible for the management of APIs, by simply publishing and consuming the APIs.
Recommended
Building systems with rest
Building Systems with REST discusses how HTTP differs from RPC and how it enables intermediaries through its use of resources and representations. The document outlines how HTTP is a transfer protocol rather than a transport protocol and how following its semantics allows functionality through firewalls. It advocates for building systems according to REST principles by decoupling concerns and focusing on resources, representations, and hypermedia.
Smart Contracts: From Zero to Dapp Hero | Hedera18
YouTube Video
https://youtu.be/zmFU54Apyn8
Speaker
John Gethoefer | Principal Software Engineer | Bumped, Inc.
Abstract
Get started with Smart Contracts and the Solidity™ language. In this presentation, you'll receive an introduction to Solidity, a programming language for creating smart contracts for Ethereum and Hedera Hashgraph. You will learn step-by-step procedures to creating a simple smart contract and explore best practices for testing and developing distributed applications (Dapps).
Realtime web open house
This document discusses SignalR, an open source library for ASP.NET developers building real-time web functionality. SignalR provides a simple API for adding real-time web functionality to applications, abstracting how real-time connections are established and messages transferred so that it works across technologies like web sockets, forever frames and server-sent events. It supports self-hosting, scaling out, and has clients for .NET, JavaScript and other platforms. SignalR can be used to call client methods from the server and vice versa, enabling two-way communication applications.
Api Gateway - What's the use of an api gateway?
Slide made for the meetup microservice at Paris, France. It describes the use of an api gateway in a microservice architecture.
Feel free to comment through @meetup_ms_paris #microservice
API Security Best Practices & Guidelines
This document provides API security best practices and guidelines. It discusses defining APIs and who may access them, such as employees, partners, customers or the general public. Authentication can be direct, using credentials, or brokered, using a third party. Best practices include using TLS, strong credentials, short-lived tokens, and throttling access. The guidelines aim to prevent attacks like CSRF, authorization code interception, and brute force attacks through measures like state parameters, PKCE, and long random tokens.
Webinar - Build a decentralized app with the Hedera Cryptocurrency API
1. The document discusses building decentralized apps using Hedera's Cryptocurrency API and the open source Payper project.
2. Payper enables micro-payments for API-based digital assets through a payment gateway and powers payment-enabled front-end components.
3. Hedera's Cryptocurrency API provides a platform for Payper, offering fast, fair, and low-fee cryptocurrency transactions capable of scaling to millions per second with finality in seconds.
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Managing the usage of Asynchronous APIs: What does it take?
Sanjeewa Malalgoda, Architect & Associate Director at WSO
Gravitee.io
This session is all about Gravitee.io that consists of two modules: Gravitee.io Access Management, which is responsible for providing Authentication and Authorization with help of OAuth2.0 and OpenID Connect, and Gravitee.io API Management, which is responsible for the management of APIs, by simply publishing and consuming the APIs.
Hedera Hashgraph San Francisco Meetup - A Complete Guide on Onboarding to the...
In this personation, Hedera Product Marketing Manager Gehrig Kunz presented on the Hedera developer experience. Gehrig shared example SDK code to jumpstart your project. Gehrig also reviewed some of the resources available for developers and explained exactly how to get started building game-changing decentralized applications using Hedera Hashgraph’s network and services.
Apis and-web-programming
The document discusses APIs and how they work. It defines an API as a set of instructions for communicating with an application. It then explains what HTTP and REST are, how the connect flow works for simple and partner integrations, and how webhooks function to notify integrations of payment events. REST is described as using standard HTTP verbs and media types with resources organized under a base URI, providing predictability and simplicity compared to SOAP.
API Security In Cloud Native Era
The cloud is rapidly becoming the de-facto standard for deploying enterprise applications. Microservices are at the core of building cloud-native applications due to its proven advantages such as granularity, cloud-native deployment, and scalability. With the exponential growth of the consumer base of these service offerings, enforcing microservice/API security has become one of the biggest challenges to overcome.
In this deck, we discuss:
- The need for API/Microservices Security
- The importance of delegating security enforcement to an API Gateway
- API Authentication and Authorization methodologies
- OAuth2 - The de-facto standard of API Authentication
- Protection against cyber attacks and anomalies
- Security aspects to consider when designing Single Page Applications (SPAs)
Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/api-security-in-a-cloud-native-era/
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
This document discusses using REST APIs with event-driven architectures and Kafka. It describes three REST servers for Kafka: the Confluent REST Proxy, the Confluent Broker REST API, and the Confluent Cloud REST API. The REST Proxy provides a RESTful interface for producing, consuming, and administering a Kafka cluster. The Broker REST API allows administration of brokers, topics, and consumer groups directly on the brokers. The Confluent Cloud REST API manages connectors, users, and environments for the Confluent Cloud hosted service. The document also discusses when and why REST may be used with event-driven systems using Kafka.
Effective API Gateway
The document discusses the benefits of using an API gateway to handle communication between client applications and microservices, rather than direct client-to-microservice communication. It notes that an API gateway can reduce coupling between clients and services, minimize round trips for client requests, centralize security handling, and help mitigate deployment risks. However, it cautions that the API gateway should not act as a single aggregator and should be segregated based on business boundaries to avoid violating microservice autonomy. Examples of open source and paid API gateway tools and implementations are also provided.
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India 2021 - Connecting 1.3 billion digital innovators
May 20, 2021
Asynchronous and Broadcasting APIs using Kafka
Rohit Saxena, Software Development Consultant at Guardian Life
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Accelerating Digital
September 15 & 16, 2021
Levelling up database security by thinking in APIs
Lindsay Holmwood, Chief Product Officer at Cipherstash
apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Data Gateways: building “Data-as-a-Service” for the Hybrid Cloud
Hugo Guerrero, APIs & Messaging Developer Advocate at Red Hat
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
APIs for... Your Mom
How to talk about APIs to your mom, your boss, or other non-technical people. Delivered at the London Tech Evangelist Meetup in November 2014.
Microservices Security: dos and don'ts
More and more enterprises are restructuring their development teams to replicate the agility and innovation of startups.
In the last few years, microservices have gained popularity for their ability to provide modularity, scalability, high availability, as well as make it easier for smaller development teams to develop in an agile way.
But how do they deal with security? what about security contexts?
This talk will give insights about the most interesting issues found in the last years while testing the security of multilayered microservices solutions and how they were fixed.
CIS 2015- User-Authorized Discovery- George Fletcher
As the Internet of Things grows, along with electronic health care records, the need for machine based discovery will grow substantially. One of the problems with standards based discovery today is that it can expose private information which a user might not want exposed. This talk will look at UMA protecting the webfinger discovery specification to create a discovery mechanism that provides user specified authorization policy for access to the discovery information. Issues and gaps will be identified.
Altitude San Francisco 2018: Scaling Ethereum to 10B requests per day
ConsenSys is a venture production studio building decentralized applications and developer and end-user tools for blockchains. Their Infura platform is a core infrastructure pillar of Ethereum, enabling decentralized applications of all kinds to scale to accommodate their users.
Infura went from 20 million requests a day at the beginning of 2017 to over 10 billion requests today. This staggering 500x increase naturally lead to questions of scale.
In this talk, co-founder Michael Wuehler will discuss the technical challenges encountered while building and scaling the Infura platform, and the infrastructure decisions that led to their adoption of Fastly and other pivotal technologies.
AsyncAPI Conference: From Design to Code with Marc DiPasquale
TALK ABSTRACT: A long standing gap has been filled! The AsyncAPI specification has risen as the industry standard for defining asynchronous APIs and is being incorporated into several products to enable a better tomorrow for Event-Driven Architecture (EDA). In this talk you will learn how AsyncAPI has been adopted by the Solace PubSub+ Event Portal to provide full lifecycle management of your EDA. I will focus on how you can use the tool to design your architecture and demonstrate how to use the AsyncAPI’s Code Generators to quickly develop a Spring Cloud Stream microservice.
SPEAKER BIO: Marc DiPasquale is a Developer Advocate with extensive engineering experience in the public and private sector across multiple domains including healthcare, aviation and weather imagery processing. He has been using event-driven techniques and methodologies throughout his career and is excited by its elevation to the mainstream. Marc works with prospective and existing clients to enable the development of modern and reactive applications.
***
Follow Marc on Twitter: https://twitter.com/Mrc0113
And on LinkedIn: https://www.linkedin.com/in/marc-dipasquale/
REST API interface to blockchain networks
This document discusses connecting applications to blockchain networks through REST interfaces. It presents two common options - using a native API that directly connects to a specific blockchain network like Bitcoin, or using an abstraction layer that provides a standardized REST API to interact with multiple blockchain networks. The document then demonstrates how to use a REST API to interact with the Ethereum blockchain through practical exercises using Postman to read data, transfer currency, and check balances and blocks.
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
The Kong community is very familiar with using Kong as an ingress gateway, but what about as an egress gateway? Checkr, a Kong open source user, managed to migrate 90 percent of its egress traffic using Kong. In this session, Software Engineer Zhuojie Zhou will cover the benefits of building out an egress gateway pattern, how Kong supports egress, and how he and his team built a solution of efficient HTTP auditing through the egress gateway.
Tamas blummer presentation
This document discusses current and potential future uses of enterprise Bitcoin software and hardware. It describes Satoshi Nakamoto's original proof of concept for Bitcoin including the peer-to-peer network, blockchain, consensus mechanism, miners, wallets and user interface. It then outlines several enterprise applications including a Bitcoin server using Satoshi's code as a border router, a real-time auditable multi-signature exchange, a hardware-protected web wallet, and a geographically distributed Bitcoin mine. It also discusses blockchains more broadly as an enabling technology for fast local transaction processing with complete or pruned transaction histories across decentralized networks.
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
API management from a network engineer's perspective focuses on security, performance, reliability, and automation. Key capabilities include multi-layer security using tools like Cloud Armor, IAM, and VPC service controls; AI and machine learning to identify anomalies, predict traffic, and ensure compliance; global reach and high performance using Cloud CDN; and a hybrid multi-cloud architecture with private network peering between VPCs for low latency and separation of customer and Apigee networks.
State of JSON Web Tokens at Employment Hero
This document discusses JSON Web Tokens (JWT). It begins by explaining what JWTs are, which is a JSON object used to securely transmit information between parties. JWTs contain signed JSON objects and can be used for authentication. The document then compares two common signing algorithms for JWTs, RSA256 and HSA256. It proceeds to discuss use cases for JWTs in authenticating API requests from clients to services. Finally, it outlines some disadvantages to solely using JWTs for authentication compared to other session-based approaches.
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
The document discusses modern application security challenges with APIs, provides real world examples of API vulnerabilities, and discusses solutions. It begins by introducing common API security issues like object level authorization (BOLA) and function level authorization (BFLA). It then details two real attacks - one on a food delivery app that allowed account takeover via phone number verification, and one on a social network that allowed email updating due to inconsistent authorization. The document advocates for proper authorization mechanisms and expanding the attack surface to find vulnerabilities.
Hello Lambda - How to call Lambdas on AWS
This document discusses several ways to call AWS Lambdas including through API Gateway, direct invocation, Step Functions, SNS, SQS, and Kinesis. API Gateway exposes Lambdas through public URLs but has limited error handling. Direct invocation uses IAM auth but requires handling errors. Step Functions provides graphical workflows for complex orchestrations. SNS is for publish/subscribe between decoupled services while SQS supports message queues, batching, and ordering. Kinesis can process large amounts of data across shards with retrying.
REST API Design & Development
The document discusses demystifying APIs. It begins with an introduction to APIs, including their evolution and benefits. It then discusses RESTful APIs and their key aspects like uniform interface and use of HTTP methods. The document outlines best practices for API design, development, and challenges. It provides examples of designing APIs using Node.js and Hapi.js and discusses challenges like security, authentication, rate limiting, and scalability. Tools mentioned include Express, Swagger, Postman, and Kong.
How to build Simple yet powerful API.pptx
How to build simple yet powerful API from novice to professional. API for beginners, API for gurus, Enterprise level API, REST API, JWT API, Deep dive.
More Related Content
What's hot
Hedera Hashgraph San Francisco Meetup - A Complete Guide on Onboarding to the...
In this personation, Hedera Product Marketing Manager Gehrig Kunz presented on the Hedera developer experience. Gehrig shared example SDK code to jumpstart your project. Gehrig also reviewed some of the resources available for developers and explained exactly how to get started building game-changing decentralized applications using Hedera Hashgraph’s network and services.
Apis and-web-programming
The document discusses APIs and how they work. It defines an API as a set of instructions for communicating with an application. It then explains what HTTP and REST are, how the connect flow works for simple and partner integrations, and how webhooks function to notify integrations of payment events. REST is described as using standard HTTP verbs and media types with resources organized under a base URI, providing predictability and simplicity compared to SOAP.
API Security In Cloud Native Era
The cloud is rapidly becoming the de-facto standard for deploying enterprise applications. Microservices are at the core of building cloud-native applications due to its proven advantages such as granularity, cloud-native deployment, and scalability. With the exponential growth of the consumer base of these service offerings, enforcing microservice/API security has become one of the biggest challenges to overcome.
In this deck, we discuss:
- The need for API/Microservices Security
- The importance of delegating security enforcement to an API Gateway
- API Authentication and Authorization methodologies
- OAuth2 - The de-facto standard of API Authentication
- Protection against cyber attacks and anomalies
- Security aspects to consider when designing Single Page Applications (SPAs)
Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/api-security-in-a-cloud-native-era/
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
This document discusses using REST APIs with event-driven architectures and Kafka. It describes three REST servers for Kafka: the Confluent REST Proxy, the Confluent Broker REST API, and the Confluent Cloud REST API. The REST Proxy provides a RESTful interface for producing, consuming, and administering a Kafka cluster. The Broker REST API allows administration of brokers, topics, and consumer groups directly on the brokers. The Confluent Cloud REST API manages connectors, users, and environments for the Confluent Cloud hosted service. The document also discusses when and why REST may be used with event-driven systems using Kafka.
Effective API Gateway
The document discusses the benefits of using an API gateway to handle communication between client applications and microservices, rather than direct client-to-microservice communication. It notes that an API gateway can reduce coupling between clients and services, minimize round trips for client requests, centralize security handling, and help mitigate deployment risks. However, it cautions that the API gateway should not act as a single aggregator and should be segregated based on business boundaries to avoid violating microservice autonomy. Examples of open source and paid API gateway tools and implementations are also provided.
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India 2021 - Connecting 1.3 billion digital innovators
May 20, 2021
Asynchronous and Broadcasting APIs using Kafka
Rohit Saxena, Software Development Consultant at Guardian Life
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Accelerating Digital
September 15 & 16, 2021
Levelling up database security by thinking in APIs
Lindsay Holmwood, Chief Product Officer at Cipherstash
apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Data Gateways: building “Data-as-a-Service” for the Hybrid Cloud
Hugo Guerrero, APIs & Messaging Developer Advocate at Red Hat
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
APIs for... Your Mom
How to talk about APIs to your mom, your boss, or other non-technical people. Delivered at the London Tech Evangelist Meetup in November 2014.
Microservices Security: dos and don'ts
More and more enterprises are restructuring their development teams to replicate the agility and innovation of startups.
In the last few years, microservices have gained popularity for their ability to provide modularity, scalability, high availability, as well as make it easier for smaller development teams to develop in an agile way.
But how do they deal with security? what about security contexts?
This talk will give insights about the most interesting issues found in the last years while testing the security of multilayered microservices solutions and how they were fixed.
CIS 2015- User-Authorized Discovery- George Fletcher
As the Internet of Things grows, along with electronic health care records, the need for machine based discovery will grow substantially. One of the problems with standards based discovery today is that it can expose private information which a user might not want exposed. This talk will look at UMA protecting the webfinger discovery specification to create a discovery mechanism that provides user specified authorization policy for access to the discovery information. Issues and gaps will be identified.
Altitude San Francisco 2018: Scaling Ethereum to 10B requests per day
ConsenSys is a venture production studio building decentralized applications and developer and end-user tools for blockchains. Their Infura platform is a core infrastructure pillar of Ethereum, enabling decentralized applications of all kinds to scale to accommodate their users.
Infura went from 20 million requests a day at the beginning of 2017 to over 10 billion requests today. This staggering 500x increase naturally lead to questions of scale.
In this talk, co-founder Michael Wuehler will discuss the technical challenges encountered while building and scaling the Infura platform, and the infrastructure decisions that led to their adoption of Fastly and other pivotal technologies.
AsyncAPI Conference: From Design to Code with Marc DiPasquale
TALK ABSTRACT: A long standing gap has been filled! The AsyncAPI specification has risen as the industry standard for defining asynchronous APIs and is being incorporated into several products to enable a better tomorrow for Event-Driven Architecture (EDA). In this talk you will learn how AsyncAPI has been adopted by the Solace PubSub+ Event Portal to provide full lifecycle management of your EDA. I will focus on how you can use the tool to design your architecture and demonstrate how to use the AsyncAPI’s Code Generators to quickly develop a Spring Cloud Stream microservice.
SPEAKER BIO: Marc DiPasquale is a Developer Advocate with extensive engineering experience in the public and private sector across multiple domains including healthcare, aviation and weather imagery processing. He has been using event-driven techniques and methodologies throughout his career and is excited by its elevation to the mainstream. Marc works with prospective and existing clients to enable the development of modern and reactive applications.
***
Follow Marc on Twitter: https://twitter.com/Mrc0113
And on LinkedIn: https://www.linkedin.com/in/marc-dipasquale/
REST API interface to blockchain networks
This document discusses connecting applications to blockchain networks through REST interfaces. It presents two common options - using a native API that directly connects to a specific blockchain network like Bitcoin, or using an abstraction layer that provides a standardized REST API to interact with multiple blockchain networks. The document then demonstrates how to use a REST API to interact with the Ethereum blockchain through practical exercises using Postman to read data, transfer currency, and check balances and blocks.
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
The Kong community is very familiar with using Kong as an ingress gateway, but what about as an egress gateway? Checkr, a Kong open source user, managed to migrate 90 percent of its egress traffic using Kong. In this session, Software Engineer Zhuojie Zhou will cover the benefits of building out an egress gateway pattern, how Kong supports egress, and how he and his team built a solution of efficient HTTP auditing through the egress gateway.
Tamas blummer presentation
This document discusses current and potential future uses of enterprise Bitcoin software and hardware. It describes Satoshi Nakamoto's original proof of concept for Bitcoin including the peer-to-peer network, blockchain, consensus mechanism, miners, wallets and user interface. It then outlines several enterprise applications including a Bitcoin server using Satoshi's code as a border router, a real-time auditable multi-signature exchange, a hardware-protected web wallet, and a geographically distributed Bitcoin mine. It also discusses blockchains more broadly as an enabling technology for fast local transaction processing with complete or pruned transaction histories across decentralized networks.
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
API management from a network engineer's perspective focuses on security, performance, reliability, and automation. Key capabilities include multi-layer security using tools like Cloud Armor, IAM, and VPC service controls; AI and machine learning to identify anomalies, predict traffic, and ensure compliance; global reach and high performance using Cloud CDN; and a hybrid multi-cloud architecture with private network peering between VPCs for low latency and separation of customer and Apigee networks.
State of JSON Web Tokens at Employment Hero
This document discusses JSON Web Tokens (JWT). It begins by explaining what JWTs are, which is a JSON object used to securely transmit information between parties. JWTs contain signed JSON objects and can be used for authentication. The document then compares two common signing algorithms for JWTs, RSA256 and HSA256. It proceeds to discuss use cases for JWTs in authenticating API requests from clients to services. Finally, it outlines some disadvantages to solely using JWTs for authentication compared to other session-based approaches.
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
The document discusses modern application security challenges with APIs, provides real world examples of API vulnerabilities, and discusses solutions. It begins by introducing common API security issues like object level authorization (BOLA) and function level authorization (BFLA). It then details two real attacks - one on a food delivery app that allowed account takeover via phone number verification, and one on a social network that allowed email updating due to inconsistent authorization. The document advocates for proper authorization mechanisms and expanding the attack surface to find vulnerabilities.
Hello Lambda - How to call Lambdas on AWS
This document discusses several ways to call AWS Lambdas including through API Gateway, direct invocation, Step Functions, SNS, SQS, and Kinesis. API Gateway exposes Lambdas through public URLs but has limited error handling. Direct invocation uses IAM auth but requires handling errors. Step Functions provides graphical workflows for complex orchestrations. SNS is for publish/subscribe between decoupled services while SQS supports message queues, batching, and ordering. Kinesis can process large amounts of data across shards with retrying.
What's hot (20)
Hedera Hashgraph San Francisco Meetup - A Complete Guide on Onboarding to the...
Hedera Hashgraph San Francisco Meetup - A Complete Guide on Onboarding to the...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...
apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...
CIS 2015- User-Authorized Discovery- George Fletcher
CIS 2015- User-Authorized Discovery- George Fletcher
Altitude San Francisco 2018: Scaling Ethereum to 10B requests per day
Altitude San Francisco 2018: Scaling Ethereum to 10B requests per day
AsyncAPI Conference: From Design to Code with Marc DiPasquale
AsyncAPI Conference: From Design to Code with Marc DiPasquale
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Similar to Web api security
REST API Design & Development
The document discusses demystifying APIs. It begins with an introduction to APIs, including their evolution and benefits. It then discusses RESTful APIs and their key aspects like uniform interface and use of HTTP methods. The document outlines best practices for API design, development, and challenges. It provides examples of designing APIs using Node.js and Hapi.js and discusses challenges like security, authentication, rate limiting, and scalability. Tools mentioned include Express, Swagger, Postman, and Kong.
How to build Simple yet powerful API.pptx
How to build simple yet powerful API from novice to professional. API for beginners, API for gurus, Enterprise level API, REST API, JWT API, Deep dive.
Protecting Your APIs Against Attack & Hijack
Secure Enterprise APIs for Mobile, Cloud & Open Web
APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed.
By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data.
You Will Learn
How APIs increase the attack surface
What key types of risk are introduced by APIs
How enterprises can mitigate each of these risks
Why it is crucial to separate API implementation and security into distinct tiers
Presented By
Scott Morrison, CTO, Layer 7 Technologies
Securing RESTful API
1) The document discusses various methods for securing RESTful APIs, including choosing the right security protocol, understanding authentication vs authorization, and exploring specific protocols like basic authentication, JSON web tokens, OAuth1.0a, and OAuth2.
2) It provides details on each protocol, including how they work, benefits, structures like the JWT header and payload, and code examples for implementation flows.
3) The key takeaways are to never use basic authentication without TLS, favor HMAC algorithms over bearer tokens, and use OAuth1.0a or OAuth2 (preferably MAC) for authentication, as OAuth is an authorization protocol rather than authentication standard.
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, WebSub, AsyncAPI and More
Uni w pachube 111108
The document introduces Pachube, an API and platform for connecting physical devices to the internet and sharing their sensor data. It discusses key aspects of Pachube including how it enables the "internet of things", how its API and website work, examples of how sensors and actuators can connect, and how developers can get started building applications using the Pachube platform. Real examples of existing uses are also highlighted.
Designing Usable APIs featuring Forrester Research, Inc.
Deliver a Great Developer Experience (DX) as Part of an Effective API Strategy
Overview
Designing a great enterprise API is not easy. Exposing an interface is relatively simple but API designers have a great deal more to think about – business models, process context, transactional integrity, privacy concerns, data ownership… the list goes on.
For enterprise API designers, a clear focus on developer experience (DX) is often the best way to get things moving in the right direction. Creating an API that developers love to use will produce a wealth of benefits for any API program, such as:
Increasing API adoption rates
Reducing implementation costs
Ensuring the program is aligned with core business goals
Join this webinar with Ronnie Mitra of Layer 7 and guest speaker Randy Heffner of Forrester Research, Inc. to get practical tips on building APIs that will provide a great DX and truly contribute to your organization’s business success.
You Will Learn
What the term “well-designed API” means, in practical terms
Why developer experience matters and how it aligns with business goals
How to make rational design choices that will improve DX
Presented By
Ronnie Mitra
Principal API Architect, Layer 7
Guest Speaker
Randy Heffner
VP, Principal Analyst, Forrester Research, Inc.
Gateway/APIC security
In this deck, I cover all the new exciting security feature we have in both gateway and APIC.
We are excited about the new features, and how they can be used to help protect the customer's deployment environment.
2019 devoxx - apis, microservices, et le service mesh
Les développeurs adoptent de plus en plus une architecture de microservices pour permettre une agilité plus élevée et une évolutivité de leurs applications - mais la mise en œuvre réussie d'une architecture de microservices est notoirement compliquée. À mesure que le nombre des services augmente, la complexité et les risques peuvent également augmenter rapidement. Cette session montre comment créer une architecture de microservices sécurisée et évolutive avec Apigee, Kubernetes et Istio
API Gateways are going through an identity crisis
API Gateways provide functionality like rate limiting, authentication, request routing, reporting, and more. If you've been following the rise in service-mesh technologies, you'll notice there is a lot of overlap with API Gateways when solving some of the challenges of microservices. If service mesh can solve these same problems, you may wonder whether you really need a dedicated API Gateway solution?
The reality is there is some nuance in the problems solved at the edge (API Gateway) compared to service-to-service communication (service mesh) within a cluster. But with the evolution of cluster-deployment patterns, these nuances are becoming less important. What's more important is that the API Gateway is evolving to live at a layer above service mesh and not directly overlapping with it. In other words, API Gateways are evolving to solve application-level concerns like aggregation, transformation, and deeper context and content-based routing as well as fitting into a more self-service, GitOps style workflow.
In this talk we put aside the "API Gateway" infrastructure as we know it today and go back to first principles with the "API Gateway pattern" and revisit the real problems we're trying to solve. Then we'll discuss pros and cons of alternative ways to implement the API Gateway pattern and finally look at open source projects like Envoy, Kubernetes, and GraphQL to see how the "API Gateway pattern" actually becomes the API for our applications while coexisting nicely with a service mesh (if you adopt a service mesh).
How APIs Can Be Secured in Mobile Environments
To view recording of this webinar please use below URL:
http://wso2.com/library/webinars/2015/08/how-apis-can-be-secured-in-mobile-environments/
In this session, Shan, director of mobile architecture at WSO2 will discuss:
What makes mobile API authentication different from traditional API authentication
Best practices for implementing mobile API security
What WSO2 API Manager provides for mobile developers
[Workshop] API-driven Integration
WSO2 is a leading open source integration vendor that helps organizations become integration agile. It offers an API-led integration platform including API management, enterprise integration, and identity and access management. The platform uses API-first approach and supports hybrid deployments. It provides full API lifecycle management with capabilities for design, security, analytics, and monetization.
API Testing and Hacking (1).pdf
This document discusses API testing and security. It notes that while development has sped up, security has been overlooked. APIs connect many systems and components, so they are vulnerable if not properly secured. The document recommends testing APIs for common vulnerabilities, emphasizing authorization, and "hacking your own API" to identify issues before attackers do. APIs must be developed with security in mind from the start.
API Testing and Hacking.pdf
This document discusses API testing and security. It notes that while development has sped up, security has been overlooked. APIs connect many systems and components, so they are vulnerable if not properly secured. The document recommends testing APIs for common vulnerabilities, emphasizing authorization, and conducting security testing to find and address issues. Hackers can exploit vulnerabilities like insecure direct object references to access unauthorized data or bypass intended business logic. Proper security practices are needed to prevent API breaches.
API Testing and Hacking.pdf
This document discusses API testing and security. It notes that while development has sped up, security has been overlooked. APIs connect many systems and components, so they are vulnerable if not properly secured. The document recommends testing APIs for common vulnerabilities, emphasizing authorization, and "hacking your own API" to identify issues before attackers do. APIs must be developed with security in mind from the start.
zendframework2 restful
The document discusses building a REST API with Zend Framework 2. It provides an overview of REST, comparing it to other API techniques like RPC and SOAP. It covers REST components and best practices, explaining the advantages of REST such as its simplicity, use of JSON, and support for AJAX. The document also addresses some common arguments against REST and how they can be overcome.
Rest Introduction (Chris Jimenez)
This document provides an overview of Representational State Transfer (REST), describing its key principles for designing web services. REST uses a stateless, client-server architecture where requests made to a resource's unique Uniform Resource Identifier (URI) can retrieve multiple representations of that resource (e.g. XML, JSON). The core REST operations are GET to retrieve a resource, POST to create, PUT to update, and DELETE to delete. Requests should be cacheable, idempotent and link resources together through hypermedia. State is managed by clients rather than servers to improve scalability. Authentication can be done through HTTP basic auth over HTTPS, cookies, or signing query parameters.
Api best practices
This document provides best practices for creating and consuming APIs. It discusses what APIs are, why they are useful, and how to design them for ease of use. Key recommendations include making APIs easy to use but difficult to misuse, doing one thing well, implementing rate limits, using proper security, and providing extensive documentation. The document also covers versioning APIs, consuming APIs through tools like cURL, and examples of mashing up APIs.
Introduction to back-end
The document provides an introduction to back-end development, including definitions of the internet, World Wide Web, and request-response cycle. It explains the differences between front-end and back-end development and lists common front-end and back-end programming languages. Main protocols like IP, TCP, UDP, and HTTP are described. Additional back-end concepts covered include CRUD functionality, securing passwords, HTTPS, and APIs. Resources for further learning back-end development with languages like Python, Node.js, and PHP are also provided.
APIConnect Security Best Practice
This covers security with APIc/gateway. It goes over high-level concepts and what IBM APIc can offer, this covers 2018, and v10 of the product
Note: this is from a presentation from a year or so ago, with some updates to the link
Similar to Web api security (20)
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
Designing Usable APIs featuring Forrester Research, Inc.
Designing Usable APIs featuring Forrester Research, Inc.
2019 devoxx - apis, microservices, et le service mesh
2019 devoxx - apis, microservices, et le service mesh
Recently uploaded
Generating privacy-protected synthetic data using Secludy and Milvus
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
Programming Foundation Models with DSPy - Meetup Slides
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Main news related to the CCS TSI 2023 (2023/1695)
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
TrustArc Webinar - 2024 Global Privacy Survey
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Digital Marketing Trends in 2024 | Guide for Staying Ahead
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Operating System Used by Users in day-to-day life.pptx
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Introduction of Cybersecurity with OSS at Code Europe 2024
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Azure API Management to expose backend services securely
How to use Azure API Management to expose backend service securely
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Choosing The Best AWS Service For Your Website + API.pptx
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Recently uploaded (20)
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Azure API Management to expose backend services securely
Azure API Management to expose backend services securely
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Web api security
- 4. WEB API Application Programing Interface ● Interface which has a set of functions that allow programmers to access specific features or data. ● Web API as the name suggests, is an API over the web which can be accessed using HTTP protocol.
- 5. Examples Weather APIGoogle Map API Twitter API Cat API
- 6. REST API Representational State Transfer Two main responsibilities ● listen for requests sent by the client side ● respond these requests with appropriate data. Request : GET, PUT, POST and DELETE
- 7. REST API more on ● Market is rapidly adapting to the modern technologies of frontend frameworks in focus. ● So Most of the Business logic is moving towards cloud now. ● Almost everyone is providing API’s today. ● Most importantly it is being used on web, in mobile app and even on IoT devices.
- 8. Quiz Time
- 9. Which of these do you think is more Secure ?
- 10. Which one do you think is using HTTPS?
- 11. What? Why? How?
- 12. Data Interception ● Capturing Traffic and Data ● Modifying Data ● Users are not who they are.
- 13. DOS Attacks ● Bunch of connections (slaves) to point massive load towards a REST API Endpoint. ● Main Objective is to make the service unusable. ● Avoiding requests from uninvited users is very important
- 14. Farming ● Scraping Data from someone else’s API ● Preventing farming is important so that no unnecessary data is being transmitted ● Unnecessarily overloaded API call
- 15. What? Why? How?
- 16. Use HTTPS ● HTTP sends messages in cleartext compared to HTTPS encrypted messages. ● The website you are visiting is the correctly certified website.
- 17. Do Authentication and Access Control ● Using API Keys and Secrets for Public API. ● Using Oauth or JWT for Authentication ● Doing Access Control, like which user, what role and what actions. ● Public API do request limiting based on Pricing plan. Project API KEY APP / WEBSITE API Provider Token Generator Backend User Auth Token
- 18. JWT ● JSON Web Tokens ● A self-contained solution to safely transmit information between client and server side. ● It decreases the load on the server by a huge amount, and makes the authentication process much faster
- 19. More on JWT Header { "alg":“RSA256", "typ":“JWT" } Payload { "token-type": "access-token", "username": "snoopy", "animal": "beagle", "iss": "https://demo.com/oauth2/token", "scopes": [“twitter”, "mans-best- friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j 1I_2DBjiiHW9vmDz8OAw8Jh8DpO 32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaO EUwlW0k1TaElxc43_Ocxm1F5IUNZ vzlLJ_ksFX GDL_cuadhVDaiqmhct098ocefuv0 8TdzRxqYoEqYNo Signature RSA256( base64UrlEncode( header ) + “.“ + base64UrlEncode( payload ) , secret )
- 20. Strong Business Logics ● Proper API Routes ● Doing Authentication in every Cloud Functions. ● Good API Responses with HTTP status codes
- 21. Format Checking ● Format checking is to validate the content type being sent. ● Requests shall match the intended content-type in the header. ● Strong Types, Length and Range Validation, Request Size Limit and Regular Expressions.