SlideShare a Scribd company logo

Secure Your REST API (The Right Way)

Download as PPTX, PDF
Stormpath
Stormpath

We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.

Software
1 of 40
Les Hazlewood @lhazlewood Apache Shiro PMC Chair CTO, Stormpath stormpath.com Secure your REST API (the right way)
.com • User Management and Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
HTTP Authentication...
... is all about the headers Learn more at Stormpath.com
1. Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Learn more at Stormpath.com
2. Challenge Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“name” Learn more at Stormpath.com
3. Resubmit Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Learn more at Stormpath.com
Authorization Header Format GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Scheme Name Scheme-specific Value sp Learn more at Stormpath.com
4. Successful Response HTTP/1.1 200 OK Content-Type: application/json ... { “email”: “jsmith@gmail.com”, “givenName”: “Joe”, “surname”: Smith”, ... } Learn more at Stormpath.com
Example: Oauth 1.0a GET /accounts/1234 HTTP/1.1 Host: api.acme.com Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" Learn more at Stormpath.com
Example: Oauth 2 GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Bearer mF_9.B5f-4.1JqM Learn more at Stormpath.com
Example: Oauth 2 MAC GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE=" Learn more at Stormpath.com
Ok, now that’s out of the way • Please avoid Basic Authc if you can. • Favor HMAC-SHA256 digest algorithms over bearer token algorithms • Use Oauth 1.0a or Oauth 2 (preferably MAC) • Only use a custom scheme if you really, really know what you’re doing. Learn more at Stormpath.com
Status Codes Learn more at Stormpath.com
401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com
HTTP Authorization Learn more at Stormpath.com
HTTP Authorization • After authc, perform authz • Filter requests before invoking MVC layer • Blanket security policies • Per-URI customization Learn more at Stormpath.com
HTTP Authorization: OAuth • OAuth is an authorization protocol, NOT an authentication or SSO protocol. • “Can I see User X’s email address please?” NOT: • “I want to authenticate User X w/ this username and password” • People still try to use OAuth for authentication (OpenId Connect) Learn more at Stormpath.com
HTTP Authorization: OAuth • When OAuth 2 is a good fit: • If your REST clients do NOT own the data they are attempting to read • When Oauth 2 isn’t as good of a fit: • If your REST client owns the data it is reading • Could still be fine if you’re willing to incur some additional overhead Learn more at Stormpath.com
HTTP Authorization: JWT • JWT = JSON Web Token • Very new spec, but clean & simple • JWTs can be digitally signed and/or encrypted, and are URL friendly. • Can be used as Bearer Tokens and for SSO Learn more at Stormpath.com
Best Practices Learn more at Stormpath.com
API Keys Learn more at Stormpath.com
API Keys, Not Passwords • Entropy • Independence • Speed • Reduced Exposure • Traceability • Rotation Learn more at Stormpath.com
API Keys cont’d • Authenticate every request • Encrypt API Key secret values at rest. • Avoid Sessions (not RESTful) • Authc every request + no sessions = no XSRF attacks Learn more at Stormpath.com
Identifiers Learn more at Stormpath.com
Identifiers /accounts/x2b4jX3l31uiL Good Not So Good /accounts/1234 Why? Learn more at Stormpath.com
Identifiers • Should be opaque • Secure Random or Random/Time UUID • URL-friendly ‘Base62’ encoding • Avoid sequential numbers: • distribute ID generation load • mitigate fusking attacks Learn more at Stormpath.com
Query Injection Learn more at Stormpath.com
Query Injection Vulnerable URL: foo.com/accounts?acctId=‘ or ‘1’=‘1 String query = “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”; Solution • Use Parameterized Query API (Prepared Statements). • If not available, escape special chars Learn more at Stormpath.com
Redirects and Forwards Learn more at Stormpath.com
Redirects and Forwards • Avoid redirects and forwards if possible • If used, validate the value and ensure authorized for the current user. foo.com/redirect.jsp?url=evil.com foo.com/whatever.jsp?fwd=admin.jsp Learn more at Stormpath.com
TLS Learn more at Stormpath.com
TLS • Use TLS for everything • Once electing to TLS: – Never revert – Never switch back and forth • Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies • Backend/infrastructure connections use TLS too Learn more at Stormpath.com
TLS Cont’d • Configure your SSL provider to only support strong (FIPS 140-2 compliant) algorithms • Use Cipher Suites w/ Perfect Forward Secrecy! –e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256 • Keep your TLS certificates valid • But beware, TLS isn’t foolproof – App-level encryption + TLS for most secure results Learn more at Stormpath.com
Configuration Learn more at Stormpath.com
Configuration • CI: Security Testing • Security Patches • Regularly scan/audit • Same config in Dev, Prod, QA* – (Docker is great for this!) • Externalize passwords/credentials * Except credentials of course Learn more at Stormpath.com
Storage Learn more at Stormpath.com
Storage • Sensitive data encrypted at rest • Encrypt offsite backups • Strong algorithms/standards • Strong encryption keys and key mgt • Strong password hashing • External key storage • Encrypted file system (e.g. eCryptfs) Learn more at Stormpath.com
Thank You! • les@stormpath.com • Twitter: @lhazlewood • https://stormpath.com Learn more at Stormpath.com
.com • Free for developers • Eliminate months of development • Automatic security best practices Sign Up Now: Stormpath.com Learn more at Stormpath.com

Recommended

API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Api security
Api security Api security
Api security teodorcotruta
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Securing Your API
Securing Your APISecuring Your API
Securing Your APIJason Austin
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 

Recommended

API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Api security
Api security Api security
Api security teodorcotruta
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Securing Your API
Securing Your APISecuring Your API
Securing Your APIJason Austin
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsHarsh Bothra
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Kong
KongKong
KongTroublemaker Khunpech
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session ManagementGuidePoint Security, LLC
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 

More Related Content

What's hot

Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsHarsh Bothra
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 

What's hot (20)

Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Kong
KongKong
Kong
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session Management
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 

Similar to Secure Your REST API (The Right Way)

REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with LumenKit Brennan
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldGil Fink
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Lviv Startup Club
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 

Similar to Secure Your REST API (The Right Way) (20)

REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Facebook & Twitter API
Facebook & Twitter APIFacebook & Twitter API
Facebook & Twitter API
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with Lumen
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
HTTP
HTTPHTTP
HTTP
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 World
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 

More from Stormpath

The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Getting Started With Angular
Getting Started With AngularGetting Started With Angular
Getting Started With AngularStormpath
 
Building Beautiful REST APIs with ASP.NET Core
Building Beautiful REST APIs with ASP.NET CoreBuilding Beautiful REST APIs with ASP.NET Core
Building Beautiful REST APIs with ASP.NET CoreStormpath
 
Build a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.jsBuild a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.jsStormpath
 
JWTs in Java for CSRF and Microservices
JWTs in Java for CSRF and MicroservicesJWTs in Java for CSRF and Microservices
JWTs in Java for CSRF and MicroservicesStormpath
 
Beautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonBeautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonStormpath
 
Storing User Files with Express, Stormpath, and Amazon S3
Storing User Files with Express, Stormpath, and Amazon S3Storing User Files with Express, Stormpath, and Amazon S3
Storing User Files with Express, Stormpath, and Amazon S3Stormpath
 
Custom Data Search with Stormpath
Custom Data Search with StormpathCustom Data Search with Stormpath
Custom Data Search with StormpathStormpath
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreStormpath
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
JWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesJWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesStormpath
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootStormpath
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Stormpath
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Stormpath
 
Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Stormpath
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
Stormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring SecurityStormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring SecurityStormpath
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular jsStormpath
 

More from Stormpath (20)

The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
Getting Started With Angular
Getting Started With AngularGetting Started With Angular
Getting Started With Angular
 
Building Beautiful REST APIs with ASP.NET Core
Building Beautiful REST APIs with ASP.NET CoreBuilding Beautiful REST APIs with ASP.NET Core
Building Beautiful REST APIs with ASP.NET Core
 
Build a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.jsBuild a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.js
 
JWTs in Java for CSRF and Microservices
JWTs in Java for CSRF and MicroservicesJWTs in Java for CSRF and Microservices
JWTs in Java for CSRF and Microservices
 
Beautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonBeautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with Ion
 
Storing User Files with Express, Stormpath, and Amazon S3
Storing User Files with Express, Stormpath, and Amazon S3Storing User Files with Express, Stormpath, and Amazon S3
Storing User Files with Express, Stormpath, and Amazon S3
 
Custom Data Search with Stormpath
Custom Data Search with StormpathCustom Data Search with Stormpath
Custom Data Search with Stormpath
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET Core
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
JWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesJWTs for CSRF and Microservices
JWTs for CSRF and Microservices
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring Boot
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More!
 
Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
 
Stormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring SecurityStormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring Security
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 

Recently uploaded

Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 

Recently uploaded (20)

Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 

Secure Your REST API (The Right Way)

  • 1. Les Hazlewood @lhazlewood Apache Shiro PMC Chair CTO, Stormpath stormpath.com Secure your REST API (the right way)
  • 2. .com • User Management and Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
  • 4. ... is all about the headers Learn more at Stormpath.com
  • 5. 1. Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Learn more at Stormpath.com
  • 6. 2. Challenge Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“name” Learn more at Stormpath.com
  • 7. 3. Resubmit Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Learn more at Stormpath.com
  • 8. Authorization Header Format GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Scheme Name Scheme-specific Value sp Learn more at Stormpath.com
  • 9. 4. Successful Response HTTP/1.1 200 OK Content-Type: application/json ... { “email”: “jsmith@gmail.com”, “givenName”: “Joe”, “surname”: Smith”, ... } Learn more at Stormpath.com
  • 10. Example: Oauth 1.0a GET /accounts/1234 HTTP/1.1 Host: api.acme.com Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" Learn more at Stormpath.com
  • 11. Example: Oauth 2 GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Bearer mF_9.B5f-4.1JqM Learn more at Stormpath.com
  • 12. Example: Oauth 2 MAC GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE=" Learn more at Stormpath.com
  • 13. Ok, now that’s out of the way • Please avoid Basic Authc if you can. • Favor HMAC-SHA256 digest algorithms over bearer token algorithms • Use Oauth 1.0a or Oauth 2 (preferably MAC) • Only use a custom scheme if you really, really know what you’re doing. Learn more at Stormpath.com
  • 14. Status Codes Learn more at Stormpath.com
  • 15. 401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com
  • 16. HTTP Authorization Learn more at Stormpath.com
  • 17. HTTP Authorization • After authc, perform authz • Filter requests before invoking MVC layer • Blanket security policies • Per-URI customization Learn more at Stormpath.com
  • 18. HTTP Authorization: OAuth • OAuth is an authorization protocol, NOT an authentication or SSO protocol. • “Can I see User X’s email address please?” NOT: • “I want to authenticate User X w/ this username and password” • People still try to use OAuth for authentication (OpenId Connect) Learn more at Stormpath.com
  • 19. HTTP Authorization: OAuth • When OAuth 2 is a good fit: • If your REST clients do NOT own the data they are attempting to read • When Oauth 2 isn’t as good of a fit: • If your REST client owns the data it is reading • Could still be fine if you’re willing to incur some additional overhead Learn more at Stormpath.com
  • 20. HTTP Authorization: JWT • JWT = JSON Web Token • Very new spec, but clean & simple • JWTs can be digitally signed and/or encrypted, and are URL friendly. • Can be used as Bearer Tokens and for SSO Learn more at Stormpath.com
  • 21. Best Practices Learn more at Stormpath.com
  • 22. API Keys Learn more at Stormpath.com
  • 23. API Keys, Not Passwords • Entropy • Independence • Speed • Reduced Exposure • Traceability • Rotation Learn more at Stormpath.com
  • 24. API Keys cont’d • Authenticate every request • Encrypt API Key secret values at rest. • Avoid Sessions (not RESTful) • Authc every request + no sessions = no XSRF attacks Learn more at Stormpath.com
  • 25. Identifiers Learn more at Stormpath.com
  • 27. Identifiers • Should be opaque • Secure Random or Random/Time UUID • URL-friendly ‘Base62’ encoding • Avoid sequential numbers: • distribute ID generation load • mitigate fusking attacks Learn more at Stormpath.com
  • 28. Query Injection Learn more at Stormpath.com
  • 29. Query Injection Vulnerable URL: foo.com/accounts?acctId=‘ or ‘1’=‘1 String query = “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”; Solution • Use Parameterized Query API (Prepared Statements). • If not available, escape special chars Learn more at Stormpath.com
  • 30. Redirects and Forwards Learn more at Stormpath.com
  • 31. Redirects and Forwards • Avoid redirects and forwards if possible • If used, validate the value and ensure authorized for the current user. foo.com/redirect.jsp?url=evil.com foo.com/whatever.jsp?fwd=admin.jsp Learn more at Stormpath.com
  • 32. TLS Learn more at Stormpath.com
  • 33. TLS • Use TLS for everything • Once electing to TLS: – Never revert – Never switch back and forth • Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies • Backend/infrastructure connections use TLS too Learn more at Stormpath.com
  • 34. TLS Cont’d • Configure your SSL provider to only support strong (FIPS 140-2 compliant) algorithms • Use Cipher Suites w/ Perfect Forward Secrecy! –e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256 • Keep your TLS certificates valid • But beware, TLS isn’t foolproof – App-level encryption + TLS for most secure results Learn more at Stormpath.com
  • 36. Configuration • CI: Security Testing • Security Patches • Regularly scan/audit • Same config in Dev, Prod, QA* – (Docker is great for this!) • Externalize passwords/credentials * Except credentials of course Learn more at Stormpath.com
  • 37. Storage Learn more at Stormpath.com
  • 38. Storage • Sensitive data encrypted at rest • Encrypt offsite backups • Strong algorithms/standards • Strong encryption keys and key mgt • Strong password hashing • External key storage • Encrypted file system (e.g. eCryptfs) Learn more at Stormpath.com
  • 39. Thank You! • les@stormpath.com • Twitter: @lhazlewood • https://stormpath.com Learn more at Stormpath.com
  • 40. .com • Free for developers • Eliminate months of development • Automatic security best practices Sign Up Now: Stormpath.com Learn more at Stormpath.com