API Security Best Practices

What are some of the most common API security best practices?

  • Use tokens. Establish trusted identities and then control access to services and resources by using tokens assigned to those identities.
  • Use encryption and signatures. Encrypt your data using a method like TLS (Transport Layer Security). Require signatures to ensure that the right users are decrypting and modifying your data, and no one else.
  • Identify vulnerabilities and perform regular security testing. Keep up with your operating system, network, drivers, and API components. Know how everything works together and identify weak spots that could be used to break into your APIs. Use sniffers to detect security issues and track data leaks.
  • Use quotas and throttling. Place quotas on how often your API can be called and track its use over history. More calls on an API may indicate that it is being abused. It could also be a programming mistake such as calling the API in an endless loop. Make rules for throttling to protect your APIs from spikes and Denial-of-Service attacks.
  • Use an API gateway. API gateways act as the major point of enforcement for API traffic. A good gateway will allow you to authenticate traffic as well as control and analyze how your APIs are used.

API management and security

API security often comes down to good API management. Many API management platforms support three types of security schemes. These are:

  • An API key that is a single token string (i.e. a small hardware device that provides unique authentication information).
  • Basic Authentication (APP ID / APP Key) that is a two-token string solution (i.e. username and password).
  • OpenID Connect (OIDC) that is a simple identity layer on top of the popular OAuth framework (i.e. it verifies the user by obtaining basic profile information and using an authentication server).