Securing Your API
-
date post
17-Oct-2014 -
Category
Technology
-
view
11.694 -
download
2
description
Transcript of Securing Your API
![Page 2: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/2.jpg)
• API overview
• API methodologies
• Security methodologies
• Best practices
A Quick Rundown
Thursday, May 26, 2011
![Page 3: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/3.jpg)
API vs. Web Service
• API = Application Programming Interface
• Web Service = API that operates over HTTP
• In this presentation, API == Web Service
Thursday, May 26, 2011
![Page 4: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/4.jpg)
Why Create An API
• Extend your product reach
• Encourage mashups
• Expose your data programmatically
• Connect with developers
Thursday, May 26, 2011
![Page 5: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/5.jpg)
API Success Stories
• Foursquare
Thursday, May 26, 2011
![Page 6: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/6.jpg)
Popular Methodologies
• REST
• XML-RPC
• SOAP
Thursday, May 26, 2011
![Page 7: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/7.jpg)
REST Service
• Representational State Transfer
• Architecture, not a standard
• HTTP-based
Thursday, May 26, 2011
![Page 8: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/8.jpg)
• Client-Server
• Self-contained Requests (Stateless)
• Cacheable
• Named, Layered Resourceshttp://brewerydb.com/api/breweries/2324http://brewerydb.com/api/beers/435
RESTful
Thursday, May 26, 2011
![Page 9: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/9.jpg)
REST over HTTP
• GET - Read-only, for retrieving information
• POST - Creating a new resource
• PUT - Updating an existing resource
• DELETE - Deleting an existing resource
Thursday, May 26, 2011
![Page 10: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/10.jpg)
REST Security
• None built in
• Encryption over HTTPS
• Left to the implementer
• Error handling left to implementer
Thursday, May 26, 2011
![Page 11: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/11.jpg)
SOAP Service
• Simple Object Access Protocol
• XML-based
• Uses GET for read, POST for write
• W3C Specification for sending and receiving messages
Thursday, May 26, 2011
![Page 12: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/12.jpg)
SOAP Security
• Nothing provided in spec
• WS-Security
• Extension to SOAP spec
• Provided as a guide for securing SOAP services
Thursday, May 26, 2011
![Page 13: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/13.jpg)
WS-Security
• Guidelines for solving 3 problems
• Identify and authenticate a client
• Ensure integrity of the message
• Curtail eavesdropping while in transit
• Defines mechanisms as opposed to actual protocols
• http://www.oasis-open.org/committees/wss/
Thursday, May 26, 2011
![Page 14: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/14.jpg)
XML-RPC Service
• XML Remote Procedure Call
• XML-based
• Uses HTTP-POST
• Spec published by UserLand Software in ~1998
Thursday, May 26, 2011
![Page 15: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/15.jpg)
• Uses XML to specify a method and parameters
• Simple data structures, no objects
• Arrays and Structs most complex
XML-RPC
Thursday, May 26, 2011
![Page 16: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/16.jpg)
XML-RPC Security
• None in the spec
• Encryption over HTTPS
• Security left to the implementer
• Error handling - <fault> base response element
Thursday, May 26, 2011
![Page 17: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/17.jpg)
Security Mechanisms
• OAuth
• BasicAuth
• API Keys
Thursday, May 26, 2011
![Page 18: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/18.jpg)
OAuth 1.0
Think of it as a valet key for your internet accounts...
Open standard for API access delegation
RFC 5849 - The OAuth 1.0 Protocol
Published April 2010
Thursday, May 26, 2011
![Page 19: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/19.jpg)
OAuth 1.0 Players
• Service Provider (Server)- Has the information you want
• Consumer (Client) - Wants the information from the Service Provider
• User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider
Thursday, May 26, 2011
![Page 20: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/20.jpg)
Thursday, May 26, 2011
![Page 21: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/21.jpg)
Benefits of OAuth 1.0
• Applications don’t need a user’s password
• Power in the hands of the user
• Secure handshake
• Doesn’t require SSL
• Many libraries available
Thursday, May 26, 2011
![Page 22: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/22.jpg)
OAuth 1.0 Pitfalls
• Signatures based on complex cryptography
• Server-side implementation is complex
Thursday, May 26, 2011
![Page 23: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/23.jpg)
• Consumer Registration and Management
• User pass-through, grant access
• Consumer access management by User
• Token storage and generation
• 2-legged vs. 3-legged
OAuth - Roll Your Own
Thursday, May 26, 2011
![Page 24: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/24.jpg)
• Removes signature requirement except on token acquisition
• Requires SSL
• Single security token, no signature required
• Guidelines for use with Javascript and applications with no web browser
OAuth 2.0 - Coming Soon
Thursday, May 26, 2011
![Page 25: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/25.jpg)
More Info on OAuth
• OAuth Spechttp://oauth.net/
• OAuth 2.0 Informationhttp://oauth.net/2/
• Lorna’s OAuth Blog Serieshttp://www.lornajane.net/
Thursday, May 26, 2011
![Page 26: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/26.jpg)
BasicAuth
• Passes a username and password with the request
• Defined by the HTTP specification
Thursday, May 26, 2011
![Page 27: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/27.jpg)
BasicAuth Do’s
• SSL is a must
• Username / Password is transmitted in cleartext
• Base64 encoded, but not encrypted
• Basic > Digest
• Basic assumes authentication is required
• Digest requires extra transfer for nonce
Thursday, May 26, 2011
![Page 28: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/28.jpg)
BasicAuth Pros
• Client requests are easy
• Part of nearly every HTTP request library
• Server setup is easy
• Use existing BasicAuth credentials
Thursday, May 26, 2011
![Page 29: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/29.jpg)
BasicAuth Cons
• Requires a username and password for a user
• Credentials are not, by default, encrypted
• Requires username and password to be embedded in client code
Thursday, May 26, 2011
![Page 30: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/30.jpg)
Access Keys
• Not based on any standard
• Implementation requirements are up to the service provider
• Keys -> signatures
Thursday, May 26, 2011
![Page 31: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/31.jpg)
Access Key Basics
• Part of URLhttp://pintlabs.com/api?key=23sdbk32
• Sign request with key instead of passing it in URL
• Use params + shared secret as signature
Thursday, May 26, 2011
![Page 32: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/32.jpg)
Signed Request Workflow
?key=val
vje48hvn4
sign ?key=val&signature=23kcwej323Client
?key=val vje48hvn4sign
?key=val&signature=23kcwej323
23kcwej323 23kcwej323==
Server
Thursday, May 26, 2011
![Page 33: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/33.jpg)
Access Keys Pros
• Easy to generate keys and distribute them
• Typically removes the need to transfer username and password in raw form
• Signed requests prevents altering parameters
Thursday, May 26, 2011
![Page 34: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/34.jpg)
Access Keys Cons
• Unsigned
• Must embed them in code
• SSL is not required, so will (by default) transfer in plaintext
• Signed
• Encryption is scary....ish
Thursday, May 26, 2011
![Page 35: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/35.jpg)
• Use signed requests over unsigned
• One key per application per developer
• Require username in headers
Best Practices for Keys
Thursday, May 26, 2011
![Page 36: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/36.jpg)
• Rate Limiting
• Access Control
• Error Handling
• SSL Layer
• API Domain“Stupid is as Stupid Does” - Gump
General Best Practices
Thursday, May 26, 2011
![Page 37: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/37.jpg)
Rate-Limiting
• Keeps API access in check
• Authenticated and Unauthenticated calls should be subject to rate limiting
• Best practice
• Have a standard, application wide rate limit
• Allow that limit to be overridden on a per user, per application basis
Thursday, May 26, 2011
![Page 38: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/38.jpg)
• Authenticated
• Have a standard, application wide rate limit
• Allow that limit to be overridden on a per user, per application basis
• Unauthenticated
• Based on domain or IP address
• Allow limit to be overridden as well
Rate-Limiting Best Practices
Thursday, May 26, 2011
![Page 39: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/39.jpg)
Access Control
• Treat API endpoints just as service endpoints in your application
• Have a standard API access site wide
• Allow override on a per-user, per-application basis.
• Allows you to roll out features to a select group or user
Thursday, May 26, 2011
![Page 40: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/40.jpg)
Error Handling
• Set appropriate HTTP headers
• Provide viable, valid error messages
• Log errors for the API too
• Have a standard error response object for all methods, including authentication
Thursday, May 26, 2011
![Page 41: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/41.jpg)
SSL Layer
• Encrypts all traffic to and from your API
• Can cause performance hit
• ~10-15% in trials
• Depending on protocol, should be a requirement
Thursday, May 26, 2011
![Page 42: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/42.jpg)
API Domain
• Use sub-domain
• Can move to separate webserver
• Handle traffic requirements
Thursday, May 26, 2011
![Page 43: Securing Your API](https://reader034.fdocuments.in/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/43.jpg)
Questions?Jason Austin - @jason_austin - [email protected]
http://joind.in/3427
Thursday, May 26, 2011