API Security in Action

"A comprehensive guide to designing and implementing secure services. A must-read book for all API practitioners who manage security." - Gilberto Taccari, Penta

API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography.

A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.

Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.

About the technology
APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs—including microservices and cloud-native applications—demand a comprehensive, multi-layered approach to security for both private and public-facing APIs.

About the book
API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you’re done, you’ll be able to create APIs that stand up to complex threat models and hostile environments.

What's inside

    Authentication
    Authorization
    Audit logging
    Rate limiting
    Encryption

About the reader
For developers with experience building RESTful APIs. Examples are in Java.

About the author
Neil Madden has in-depth knowledge of applied cryptography, application security, and current API security technologies. He holds a Ph.D. in Computer Science.

Table of Contents

PART 1 - FOUNDATIONS

1 What is API security?

2 Secure API development

3 Securing the Natter API

PART 2 - TOKEN-BASED AUTHENTICATION

4 Session cookie authentication

5 Modern token-based authentication

6 Self-contained tokens and JWTs

PART 3 - AUTHORIZATION

7 OAuth2 and OpenID Connect

8 Identity-based access control

9 Capability-based security and macaroons

PART 4 - MICROSERVICE APIs IN KUBERNETES

10 Microservice APIs in Kubernetes

11 Securing service-to-service APIs

PART 5 - APIs FOR THE INTERNET OF THINGS

12 Securing IoT communications

13 Securing IoT APIs

API Security in Action

50.99 In Stock

API Security in Action

Add to Wishlist

API Security in Action

eBook

$50.99

View All Available Formats & Editions

eBook
$50.99

View All Available Formats & Editions

Available on Compatible NOOK devices, the free NOOK App and in My Digital Library.

WANT A NOOK? Explore Now

Buy As Gift

Related collections and offers

Overview

Product Details

ISBN-13:	9781638356646
Publisher:	Manning
Publication date:	11/20/2020
Sold by:	SIMON & SCHUSTER
Format:	eBook
Pages:	576
File size:	8 MB

About the Author

Neil Madden has in-depth knowledge of applied cryptography, application security, and current API security technologies. He holds a Ph.D. in Computer Science.
Neil Madden is Security Director at ForgeRock and has an in-depth knowledge of applied cryptography, application security, and current API security technologies. He has worked as a programmer for 20 years and holds a PhD in Computer Science.

Preface xi

Acknowledgments xiii

About this book xv

About the author xix

About the cover illustration xx

Part I Foundations 1

1 What is API security? 3

1.1 An analogy: Taking your driving test 4

1.2 What is an API? 6

API styles 7

1.3 API security in context 8

A typical API deployment 10

1.4 Elements of API security 12

Assets 13

Security goals 14

Environments and threat models 16

1.5 Security mechanisms 19

Encryption 20

Identification and authentication 21

Access control and authorization 22

Audit logging 23

Rate-limiting 24

2 Secure API development 27

2.1 The Natter API 27

Overview of the Natter API 28

Implementation overview 29

Setting up the project 30

Initializing the database 32

2.2 Developing the REST API 34

Creating a new space 34

2.3 Wiring up the REST endpoints 36

Trying it out 38

2.4 Injection attacks 39

Preventing injection attacks 43

Mitigating SQL injection with permissions 45

2.5 Input validation 47

2.6 Producing safe output 53

Exploiting XSS Attacks 54

Preventing XSS 57

Implementing the protections 58

3 Securing the Natter API 62

3.1 Addressing threats with security controls 63

3.2 Rate-limiting for availability 64

Rate-limiting with Guava 66

3.3 Authentication to prevent spoofing 70

HTTP Basic authentication 71

Secure password storage with Scrypt 72

Creating the password database 72

Registering users in the Natter API 74

Authenticating users 75

3.4 Using encryption to keep data private 78

Enabling HTTPS 80

Strict transport security 82

3.5 Audit logging for accountability 82

3.6 Access control 87

Enforcing authentication 89

Access control lists 90

Enforcing access control in Natter 92

Adding new members to a Natter space 94

Avoiding privilege escalation attacks 95

Part 2 Token-Based Authentication 99

4 Session cookie authentication 101

4.1 Authentication in web browsers 102

Calling the Natter API from JavaScript 102

Intercepting form submission 104

Serving the HTML from the same origin 105

Drawbacks of HTTP authentication 108

l4.2 Token-based authentication 109

A token store abstraction 111

Implementing token-based login 112

4.3 Session cookies 115

Avoiding session fixation attacks 119

Cookie security attributes 121

Validating session cookies 123

4.4 Preventing Cross-Site Request Forgery attacks 125

SameSite cookies 127

Hash-based double-submit cookies 129

Double-submit cookies for the Natter API 133

4.5 Building the Natter login UI 138

Calling the login API from-JavaScript 140

4.6 Implementing logout 143

5 Modern token-based authentication 146

5.1 Allowing cross-domain requests with CORS 147

Preflight requests 148

CORS headers 150

Adding CORS headers to the Natter API 151

5.2 Tokens without cookies 154

Storing token state in a database 155

The Bearer authentication scheme 160

Deleting expired tokens 162

Storing tokens in Web Storage 163

Updating the CORS filter 166

XSS attacks on Web Storage 167

5.3 Hardening database token storage 170

Hashing database tokens 170

Authenticating tokens with HMAC 172

Protecting sensitive attributes 177

6 Self-contained tokens and JWTs 181

6.1 Storing token state on the client 182

Protecting JSON tokens with HMAC 183

6.2 JSON Web Tokens 185

The standard JWT claims 187

The JOSE header 188

Generating standard JWTs 190

Validating a signed JWT 193

6.3 Encrypting sensitive attributes 195

Authenticated encryption 197

Authenticated encryption with NaCl 198

Encrypted JWTs 200

Using a JWT library 203

6.4 Using types for secure API design 206

6.5 Handling token revocation 209

Implementing hybrid tokens 210

Part 3 Authorization 215

7 OAuth2 and OpenID Connect 217

7.1 Scoped tokens 218

Adding scoped tokens to Natter 220

The difference between scopes and permissions 223

7.2 Introducing OAuth2 226

Types of clients 227

Authorization grants 228

Discoveting OAuth2 endpoints 229

7.3 The Authorization Code grant 230

Redirect URIs for different types of clients 235

Hardening code exchange with PKCE 236

Refresh tokens 237

7.4 Validating an access token 239

Token introspection 239

Securing the HTTPS client configuration 245

Token revocation 248

JWT access tokens 249

Encrypted JWT access tokens 256

Letting the AS decrypt the tokens 258

7.5 Single sign-on 258

7.6 OpenID Connect 260

ID tokens 260

Hardening OIDC 263

Passing an ID token to an API 264

8 Identity-based access control 267

8.1 Users and groups 268

LDAP groups 271

8.2 Role-based access control 274

Mapping roles to permissions 276

Static roles 277

Determining user roles 279

Dynamic roles 280

8.3 Attribute-based access control 282

Combining decisions 284

Implementing ABAC decisions 285

Policy agents and API gateways 289

Distributed policy enforcement and XACML 290

Best practices for ABAC 291

9 Capability-based security and macaroons 294

9.1 Capability-based security 295

9.2 Capabilities and REST 297

Capabilities as URIs 299

Using capability URIs in the Natter API 303

HATEOAS 308

Capability URIs for browser-based clients 311

Combining capabilities with identity 314

Hardening capability URIs 315

9.3 Macaroons: Tokens with caveats 319

Contextual caveats 321

A macaroon token store 322

First-party caveats 325

Third-party caveats 328

Part 4 Microservice APIs in Kubernetes 333

10 Microservice APIs in Kubernetes 335

10.1 Microservice APIs on Kubernetes 336

10.2 Deploying Natter on Kubernetes 339

Building H2 database as a Docker container 341

Deploying the database to Kubernetes 345

Building the Natter API as a Docker container 349

The link-preview microservice 353

Deploying the new microservice 355

Calling the link-preview microservice 357

Preventing SSRF attacks 361

DNS rebinding attacks 366

10.3 Securing microservice communications 368

Securing communications with TLS 368

Using a service mesh for TLS 370

Locking down network connections 375

10.4 Securing incoming requests 377

11 Securing service-to-service APIs 383

11.1 API keys and JWT bearer authentication 384

11.2 The OAuth2 client credentials grant 385

Service accounts 387

11.3 The JWT bearer grant for OAuth2 389

Client authentication 391

Generating the JWT 393

Service account authentication 395

11.4 Mutual TLS authentication 396

How TLS certificate authentication works 397

Client certificate authentication 399

Verifying client identity 402

Using a service mesh 406

Mutual TLS with OAuth2 409

Certificate-bound access tokens 410

11.5 Managing service credentials 415

Kubernetes secrets 415

Key and secret management services 420

Avoiding long-lived secrets on disk 423

Key derivation 425

11.6 Service API calls in response to user requests 428

The phantom, token pattern 429

OAuth2 token exchange 431

Part 5 APIs for the Internet of Things 437

Securing IoT communications 439

12.1 Transport layer security 440

Datagram TLS 441

Cipher suites for constrained devices 452

12.2 Pre-shared keys 458

Implementing a PSK server 460

The PSK client 462

Supporting raw PSK cipher suites 463

PSK with forward secrecy 465

12.3 End-to-end security 467

COSE 468

Alternatives to COSE 472

Misuse-resistant authenticated encryption 475

12.4 Key distribution and management 479

One-off key provisioning 480

Key distribution servers 481

Ratcheting for forward secrecy 482

Post-compromise security 484

13 Securing IoT APIs 488

13.1 Authenticating devices 489

Identifying devices 489

Device certificates 492

Authenticating at the transport layer 492

13.2 End-to-end authentication 496

OSCORE 499

Avoiding replay in REST APIs 506

13.3 OAuth2 for constrained environments 511

The device authorization grant 512

ACE-OAuth 517

13.4 Offline access control 518

Offline user authentication 518

Offline authorization 520

Appendix A Setting up Java and Maven 523

Appendix B Setting up Kubernetes 532

Index 535

From the B&N Reads Blog

Page 1 of

Related collections and offers

Overview

Product Details

About the Author

Table of Contents

Related Subjects

Customer Reviews