0

It's my first time building and deploying a REST API with just the standard library. Are there any gotchas I should keep an eye out for regarding securing my REST API?

aroooo
  • 115
  • 4
  • If you look in the "Related" section on the side, you will see multiple questions here about securing REST APIs. – schroeder Nov 23 '19 at 00:59

1 Answers1

1

Here's the list of best practices in securing RESTful API.

  1. Always Use HTTPS - Traffic must be encrypted

  2. Never expose information on URLs - as this can be captured in web server logs, which makes them easily exploitable.

    https://api.domain.com/user-management/users/{id}/someAction?apiKey=abcd123456789

  3. Consider Oauth

  4. Adding Timestamp in Request - This will prevent very basic replay attacks from people who are trying to brute force your system

  5. Input Parameter Validation - Put strong validation checks and reject the request immediately if validation fails.

  6. Use Auditing and Logging - Any subject or entity can be audited

For more information, OWASP Provide a cheatsheet found here.

Al Francis
  • 278
  • 1
  • 11