Uploaded by9xdot
PPTX, PDF124 views

Web api security

This document discusses web APIs and REST APIs. It provides examples of common web APIs like weather, Google Maps, and Twitter APIs. It then discusses security concerns around REST APIs like data interception, DDoS attacks, and farming. It recommends using HTTPS, authentication, access control, and JSON Web Tokens (JWTs) for security. It also mentions the importance of format checking, strong business logic, and proper API design.

Embed presentation

Download to read offline
WEB API Security access denied
Before we begin
What? Why? How?
WEB API Application Programing Interface ● Interface which has a set of functions that allow programmers to access specific features or data. ● Web API as the name suggests, is an API over the web which can be accessed using HTTP protocol.
Examples Weather APIGoogle Map API Twitter API Cat API
REST API Representational State Transfer Two main responsibilities ● listen for requests sent by the client side ● respond these requests with appropriate data. Request : GET, PUT, POST and DELETE
REST API more on ● Market is rapidly adapting to the modern technologies of frontend frameworks in focus. ● So Most of the Business logic is moving towards cloud now. ● Almost everyone is providing API’s today. ● Most importantly it is being used on web, in mobile app and even on IoT devices.
Quiz Time
Which of these do you think is more Secure ?
Which one do you think is using HTTPS?
What? Why? How?
Data Interception ● Capturing Traffic and Data ● Modifying Data ● Users are not who they are.
DOS Attacks ● Bunch of connections (slaves) to point massive load towards a REST API Endpoint. ● Main Objective is to make the service unusable. ● Avoiding requests from uninvited users is very important
Farming ● Scraping Data from someone else’s API ● Preventing farming is important so that no unnecessary data is being transmitted ● Unnecessarily overloaded API call
What? Why? How?
Use HTTPS ● HTTP sends messages in cleartext compared to HTTPS encrypted messages. ● The website you are visiting is the correctly certified website.
Do Authentication and Access Control ● Using API Keys and Secrets for Public API. ● Using Oauth or JWT for Authentication ● Doing Access Control, like which user, what role and what actions. ● Public API do request limiting based on Pricing plan. Project API KEY APP / WEBSITE API Provider Token Generator Backend User Auth Token
JWT ● JSON Web Tokens ● A self-contained solution to safely transmit information between client and server side. ● It decreases the load on the server by a huge amount, and makes the authentication process much faster
More on JWT Header { "alg":“RSA256", "typ":“JWT" } Payload { "token-type": "access-token", "username": "snoopy", "animal": "beagle", "iss": "https://demo.com/oauth2/token", "scopes": [“twitter”, "mans-best- friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j 1I_2DBjiiHW9vmDz8OAw8Jh8DpO 32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaO EUwlW0k1TaElxc43_Ocxm1F5IUNZ vzlLJ_ksFX GDL_cuadhVDaiqmhct098ocefuv0 8TdzRxqYoEqYNo Signature RSA256( base64UrlEncode( header ) + “.“ + base64UrlEncode( payload ) , secret )
Strong Business Logics ● Proper API Routes ● Doing Authentication in every Cloud Functions. ● Good API Responses with HTTP status codes
Format Checking ● Format checking is to validate the content type being sent. ● Requests shall match the intended content-type in the header. ● Strong Types, Length and Range Validation, Request Size Limit and Regular Expressions.

More Related Content

PPTX
Building systems with rest
byGlenn Block
 
PDF
Smart Contracts: From Zero to Dapp Hero | Hedera18
byHedera Hashgraph
 
PPTX
Realtime web open house
byRan Wahle
 
PPTX
Api Gateway - What's the use of an api gateway?
byinovia
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
Webinar - Build a decentralized app with the Hedera Cryptocurrency API
byHedera Hashgraph
 
PPTX
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
byapidays
 
PDF
Gravitee.io
byKnoldus Inc.
 
Building systems with rest
byGlenn Block
 
Smart Contracts: From Zero to Dapp Hero | Hedera18
byHedera Hashgraph
 
Realtime web open house
byRan Wahle
 
Api Gateway - What's the use of an api gateway?
byinovia
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Webinar - Build a decentralized app with the Hedera Cryptocurrency API
byHedera Hashgraph
 
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
byapidays
 
Gravitee.io
byKnoldus Inc.
 

What's hot

PPTX
Hedera Hashgraph San Francisco Meetup - A Complete Guide on Onboarding to the...
byHedera Hashgraph
 
PDF
Apis and-web-programming
byAlasdair Monk
 
PDF
API Security In Cloud Native Era
byWSO2
 
PPTX
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
byapidays
 
PPT
Effective API Gateway
byHari Wiz
 
PPTX
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
byapidays
 
PDF
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
byapidays
 
PDF
apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...
byapidays
 
PPTX
APIs for... Your Mom
byCarlo Longino
 
PDF
Microservices Security: dos and don'ts
byMinded Security
 
PDF
CIS 2015- User-Authorized Discovery- George Fletcher
byCloudIDSummit
 
PDF
Altitude San Francisco 2018: Scaling Ethereum to 10B requests per day
byFastly
 
PPTX
AsyncAPI Conference: From Design to Code with Marc DiPasquale
bySolace
 
PPTX
REST API interface to blockchain networks
byGene Leybzon
 
PDF
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
by00zzj
 
PDF
Tamas blummer presentation
byMecklerMedia
 
PDF
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
byapidays
 
PDF
State of JSON Web Tokens at Employment Hero
byLuong Vo
 
PDF
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
byAdar Weidman
 
PDF
Hello Lambda - How to call Lambdas on AWS
byDavid Roberts
 
Hedera Hashgraph San Francisco Meetup - A Complete Guide on Onboarding to the...
byHedera Hashgraph
 
Apis and-web-programming
byAlasdair Monk
 
API Security In Cloud Native Era
byWSO2
 
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
byapidays
 
Effective API Gateway
byHari Wiz
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
byapidays
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
byapidays
 
apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...
byapidays
 
APIs for... Your Mom
byCarlo Longino
 
Microservices Security: dos and don'ts
byMinded Security
 
CIS 2015- User-Authorized Discovery- George Fletcher
byCloudIDSummit
 
Altitude San Francisco 2018: Scaling Ethereum to 10B requests per day
byFastly
 
AsyncAPI Conference: From Design to Code with Marc DiPasquale
bySolace
 
REST API interface to blockchain networks
byGene Leybzon
 
[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou
by00zzj
 
Tamas blummer presentation
byMecklerMedia
 
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
byapidays
 
State of JSON Web Tokens at Employment Hero
byLuong Vo
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
byAdar Weidman
 
Hello Lambda - How to call Lambdas on AWS
byDavid Roberts
 

Similar to Web api security

PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PPTX
Securing APIs using OAuth 2.0
byAdam Lewis
 
PPTX
HTTP Services & REST API Security
byTaiseer Joudeh
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PPTX
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 
PPTX
How to build Simple yet powerful API.pptx
byChanna Ly
 
PPTX
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
PDF
Api fundamentals
byAgileDenver
 
PDF
Api FUNdamentals #MHA2017
byJoEllen Carter
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
PDF
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
byWSO2
 
PDF
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
PPTX
Web API Security
byStefaan
 
PPTX
APIs_ An Introduction.pptx
byAkashThorat25
 
PDF
How to Build, Manage, and Promote APIs
byWSO2
 
PDF
API Testing and Hacking (1).pdf
byVishwas N
 
PDF
API Testing and Hacking.pdf
byVishwas N
 
PDF
API Testing and Hacking.pdf
byVishwasN6
 
PPTX
Restful api
byAnurag Srivastava
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
API SECURITY
byTubagus Rizky Dharmawan
 
Securing APIs using OAuth 2.0
byAdam Lewis
 
HTTP Services & REST API Security
byTaiseer Joudeh
 
Securing RESTful API
byMuhammad Zbeedat
 
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 
How to build Simple yet powerful API.pptx
byChanna Ly
 
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
Api fundamentals
byAgileDenver
 
Api FUNdamentals #MHA2017
byJoEllen Carter
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
byWSO2
 
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
Web API Security
byStefaan
 
APIs_ An Introduction.pptx
byAkashThorat25
 
How to Build, Manage, and Promote APIs
byWSO2
 
API Testing and Hacking (1).pdf
byVishwas N
 
API Testing and Hacking.pdf
byVishwas N
 
API Testing and Hacking.pdf
byVishwasN6
 
Restful api
byAnurag Srivastava
 
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 

Recently uploaded

PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 

Web api security

  • 1.
  • 2.
  • 3.
  • 4.
    WEB API Application ProgramingInterface ● Interface which has a set of functions that allow programmers to access specific features or data. ● Web API as the name suggests, is an API over the web which can be accessed using HTTP protocol.
  • 5.
    Examples Weather APIGoogle MapAPI Twitter API Cat API
  • 6.
    REST API Representational StateTransfer Two main responsibilities ● listen for requests sent by the client side ● respond these requests with appropriate data. Request : GET, PUT, POST and DELETE
  • 7.
    REST API more on ●Market is rapidly adapting to the modern technologies of frontend frameworks in focus. ● So Most of the Business logic is moving towards cloud now. ● Almost everyone is providing API’s today. ● Most importantly it is being used on web, in mobile app and even on IoT devices.
  • 8.
  • 9.
    Which of thesedo you think is more Secure ?
  • 10.
    Which one doyou think is using HTTPS?
  • 11.
  • 12.
    Data Interception ● CapturingTraffic and Data ● Modifying Data ● Users are not who they are.
  • 13.
    DOS Attacks ● Bunchof connections (slaves) to point massive load towards a REST API Endpoint. ● Main Objective is to make the service unusable. ● Avoiding requests from uninvited users is very important
  • 14.
    Farming ● Scraping Datafrom someone else’s API ● Preventing farming is important so that no unnecessary data is being transmitted ● Unnecessarily overloaded API call
  • 15.
  • 16.
    Use HTTPS ● HTTPsends messages in cleartext compared to HTTPS encrypted messages. ● The website you are visiting is the correctly certified website.
  • 17.
    Do Authentication and AccessControl ● Using API Keys and Secrets for Public API. ● Using Oauth or JWT for Authentication ● Doing Access Control, like which user, what role and what actions. ● Public API do request limiting based on Pricing plan. Project API KEY APP / WEBSITE API Provider Token Generator Backend User Auth Token
  • 18.
    JWT ● JSON WebTokens ● A self-contained solution to safely transmit information between client and server side. ● It decreases the load on the server by a huge amount, and makes the authentication process much faster
  • 19.
    More on JWT Header { "alg":“RSA256", "typ":“JWT" } Payload { "token-type":"access-token", "username": "snoopy", "animal": "beagle", "iss": "https://demo.com/oauth2/token", "scopes": [“twitter”, "mans-best- friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j 1I_2DBjiiHW9vmDz8OAw8Jh8DpO 32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaO EUwlW0k1TaElxc43_Ocxm1F5IUNZ vzlLJ_ksFX GDL_cuadhVDaiqmhct098ocefuv0 8TdzRxqYoEqYNo Signature RSA256( base64UrlEncode( header ) + “.“ + base64UrlEncode( payload ) , secret )
  • 20.
    Strong Business Logics ●Proper API Routes ● Doing Authentication in every Cloud Functions. ● Good API Responses with HTTP status codes
  • 21.
    Format Checking ● Formatchecking is to validate the content type being sent. ● Requests shall match the intended content-type in the header. ● Strong Types, Length and Range Validation, Request Size Limit and Regular Expressions.