Many organizations have chosen to handle their data with REST APIs, and with good reason — they’re lightweight, versatile, and a well-known standard. However, APIs also have specific security needs, making API security a top priority.
Some well-established practices and protocols can guide you towards better API security:
- Understand your security needs.
- Follow industry-standard best practices and use well-known open source tools.
- Enforce good governance so those practices are used everywhere in your organization.
This article takes you through the steps by helping you identify your needs and pinpoint the practices and tools that can serve you best. We also outline the role of governance in API security.
Set the right level of security for your API
One of the guiding ideas behind modern web security is the principle of least privilege — giving users access only to what they need to achieve their goals.
Security policies should be robust in protecting your data assets but flexible in allowing API consumers to innovate and deepen integrations over time.
It’s hard to anticipate everything users want to do. To find the right balance, start by asking the questions below.
Who are your API consumers?
Is this a publicly available service, or are all API consumers inside a trusted corporate network? Choose tools that allow users only what they need, with minimum friction.
What’s your request volume?
Automated API calls usually generate high request volumes. Public APIs may have an unpredictable number of users and requests. Internal APIs tend to be — but aren’t always — more predictable. You need security tools that can scale appropriately.
How sensitive is the data you’re serving?
As data becomes more proprietary and sensitive, it needs more security. Explore your encryption, access control, and data validation options through auth, HTTP headers, and application logic.
Different data requires different choices— options must work together to create a smooth user experience and sound data security. The questions above are a starting point, while the best practices we cover next can guide you to form an effective security strategy.
Best practices for securing a REST API
The seven rules below cover almost everything you need to know about REST API security at a basic level. With the particularities of your API program in mind, you can adapt the practices to your needs.
1. Always use HTTPS
Sometimes referred to as TLS (transport layer security) and an evolution of SSL (secure sockets layer), HTTPS provides default encryption on almost all browsers. Use it everywhere, on every endpoint, docs site, and landing page.
2. Keep credentials and sensitive data out of URLs
Remember that URLs are publicly discoverable and unencrypted — endpoints that use API keys, account numbers, or other sensitive details are easy to exploit but equally easy to avoid.
3. Update your dependencies
Carefully vet any libraries before you integrate them into your API. Establish a process to ensure you keep your version current, and install security patches as soon as they’re available.
4. You need auth, and you probably need it more than you think
Auth includes authentication and authorization. Both are indispensable and deeply connected in your code. You might have distinct groups of users — make sure you’re choosing tools and policies that let you adjust. The key here is to understand your users so you anticipate what they need while you shut them out of places they don’t need to go.
5. Design your data for security
Think about data security from the early stages of your API design — what devs call shift left security. Whether you’re designing your data resources from scratch or starting from a legacy database, keep the following in mind:
- Data segregation: Keep your most sensitive data away from public API endpoints. Create separate databases and APIs for different levels of data sensitivity.
- Strong data validation functions: Build robust guardrails in your application code to keep non-conforming data out. Don’t rely entirely on HTTP headers to do this work.
- Data conservation: Don’t preserve data any longer than you need to. Follow conservation and deletion rules carefully, especially for sensitive data.
- Data encryption: What do you need to encrypt in transit? What do you need to encrypt at rest? Build your databases to support those needs.
- Clean code: Plan carefully, document thoroughly, and test aggressively for loopholes, especially in auth logic.
- Separate APIs for public, private, and partner consumers: Creating separate APIs for those groups may be ideal so that each has a simple, clear-cut auth policy.
6. Use expert-designed open source tools
Industry experts have long collaborated to create valuable open source resources for community use. You can benefit from standards like OpenID Connect and OAuth 2.0, services like CertBot, and educational resources like the OWASP Top Ten. Shared standards lead to better interoperability, time savings, and a higher overall level of security.
7. The KISS principle: Keep it simple, sailor!
The more rules and conditions you implement, the more holes you create. Simple, concise policies are easier to explain and follow and leave fewer openings for mistakes. If you fear getting in over your head, take a step back and look for a more straightforward, higher-level solution.
Security is never perfect or completely done — API security evolves quickly, and you’ll need to continue learning and adapting. One crucial factor in robust REST API security is sticking to the policies you put in place.
Back up your intentions with solid governance
Hackers need only one vulnerability to cause significant damage. The most common source of vulnerabilities? Human error. You can counteract this weakness in two ways.
First, create a culture of security in your organization. Employees should buy into the value of data and API security, especially public-facing folks like salespeople and customer support staff. Second, bolster your strategy with tools and practices that prevent misttart. These can pick up the slack when people get overtaxed.
For example, you can use linters, automated testing, and other governance tools. If you can codify your security best practices, you can enforce them throughout your CI/CD pipeline and be confident in delivering API code that works as intended.
API security is a practice, not a goal
There’s no one answer for how to secure any REST API. There’s not even one answer to secure your REST API. Security can’t be static because nothing around it stays still. You must establish processes that will force you to evolve, and you need to keep learning — that’s one standard that will never change.