0%

API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you’re done, you’ll be able to create APIs that stand up to complex threat models and hostile environments.

Table of Contents

  1. API Security in Action
  2. Copyright
  3. contents
  4. front matter
    1. preface
    2. acknowledgments
    3. about this book
    4. Who should read this book
    5. How this book is organized: A roadmap
    6. About the code
    7. liveBook discussion forum
    8. Other online resources
    9. about the author
    10. about the cover illustration
  5. Part 1. Foundations
  6. 1 What is API security?
    1. 1.1 An analogy: Taking your driving test
    2. 1.2 What is an API?
    3. 1.2.1 API styles
    4. 1.3 API security in context
    5. 1.3.1 A typical API deployment
    6. 1.4 Elements of API security
    7. 1.4.1 Assets
    8. 1.4.2 Security goals
    9. 1.4.3 Environments and threat models
    10. 1.5 Security mechanisms
    11. 1.5.1 Encryption
    12. 1.5.2 Identification and authentication
    13. 1.5.3 Access control and authorization
    14. 1.5.4 Audit logging
    15. 1.5.5 Rate-limiting
    16. Answers to pop quiz questions
    17. Summary
  7. 2 Secure API development
    1. 2.1 The Natter API
    2. 2.1.1 Overview of the Natter API
    3. 2.1.2 Implementation overview
    4. 2.1.3 Setting up the project
    5. 2.1.4 Initializing the database
    6. 2.2 Developing the REST API
    7. 2.2.1 Creating a new space
    8. 2.3 Wiring up the REST endpoints
    9. 2.3.1 Trying it out
    10. 2.4 Injection attacks
    11. 2.4.1 Preventing injection attacks
    12. 2.4.2 Mitigating SQL injection with permissions
    13. 2.5 Input validation
    14. 2.6 Producing safe output
    15. 2.6.1 Exploiting XSS Attacks
    16. 2.6.2 Preventing XSS
    17. 2.6.3 Implementing the protections
    18. Answers to pop quiz questions
    19. Summary
  8. 3 Securing the Natter API
    1. 3.1 Addressing threats with security controls
    2. 3.2 Rate-limiting for availability
    3. 3.2.1 Rate-limiting with Guava
    4. 3.3 Authentication to prevent spoofing
    5. 3.3.1 HTTP Basic authentication
    6. 3.3.2 Secure password storage with Scrypt
    7. 3.3.3 Creating the password database
    8. 3.3.4 Registering users in the Natter API
    9. 3.3.5 Authenticating users
    10. 3.4 Using encryption to keep data private
    11. 3.4.1 Enabling HTTPS
    12. 3.4.2 Strict transport security
    13. 3.5 Audit logging for accountability
    14. 3.6 Access control
    15. 3.6.1 Enforcing authentication
    16. 3.6.2 Access control lists
    17. 3.6.3 Enforcing access control in Natter
    18. 3.6.4 Adding new members to a Natter space
    19. 3.6.5 Avoiding privilege escalation attacks
    20. Answers to pop quiz questions
    21. Summary
  9. Part 2. Token-based authentication
  10. 4 Session cookie authentication
    1. 4.1 Authentication in web browsers
    2. 4.1.1 Calling the Natter API from JavaScript
    3. 4.1.2 Intercepting form submission
    4. 4.1.3 Serving the HTML from the same origin
    5. 4.1.4 Drawbacks of HTTP authentication
    6. 4.2 Token-based authentication
    7. 4.2.1 A token store abstraction
    8. 4.2.2 Implementing token-based login
    9. 4.3 Session cookies
    10. 4.3.1 Avoiding session fixation attacks
    11. 4.3.2 Cookie security attributes
    12. 4.3.3 Validating session cookies
    13. 4.4 Preventing Cross-Site Request Forgery attacks
    14. 4.4.1 SameSite cookies
    15. 4.4.2 Hash-based double-submit cookies
    16. 4.4.3 Double-submit cookies for the Natter API
    17. 4.5 Building the Natter login UI
    18. 4.5.1 Calling the login API from JavaScript
    19. 4.6 Implementing logout
    20. Answers to pop quiz questions
    21. Summary
  11. 5 Modern token-based authentication
    1. 5.1 Allowing cross-domain requests with CORS
    2. 5.1.1 Preflight requests
    3. 5.1.2 CORS headers
    4. 5.1.3 Adding CORS headers to the Natter API
    5. 5.2 Tokens without cookies
    6. 5.2.1 Storing token state in a database
    7. 5.2.2 The Bearer authentication scheme
    8. 5.2.3 Deleting expired tokens
    9. 5.2.4 Storing tokens in Web Storage
    10. 5.2.5 Updating the CORS filter
    11. 5.2.6 XSS attacks on Web Storage
    12. 5.3 Hardening database token storage
    13. 5.3.1 Hashing database tokens
    14. 5.3.2 Authenticating tokens with HMAC
    15. 5.3.3 Protecting sensitive attributes
    16. Answers to pop quiz questions
    17. Summary
  12. 6 Self-contained tokens and JWTs
    1. 6.1 Storing token state on the client
    2. 6.1.1 Protecting JSON tokens with HMAC
    3. 6.2 JSON Web Tokens
    4. 6.2.1 The standard JWT claims
    5. 6.2.2 The JOSE header
    6. 6.2.3 Generating standard JWTs
    7. 6.2.4 Validating a signed JWT
    8. 6.3 Encrypting sensitive attributes
    9. 6.3.1 Authenticated encryption
    10. 6.3.2 Authenticated encryption with NaCl
    11. 6.3.3 Encrypted JWTs
    12. 6.3.4 Using a JWT library
    13. 6.4 Using types for secure API design
    14. 6.5 Handling token revocation
    15. 6.5.1 Implementing hybrid tokens
    16. Answers to pop quiz questions
    17. Summary
  13. Part 3. Authorization
  14. 7 OAuth2 and OpenID Connect
    1. 7.1 Scoped tokens
    2. 7.1.1 Adding scoped tokens to Natter
    3. 7.1.2 The difference between scopes and permissions
    4. 7.2 Introducing OAuth2
    5. 7.2.1 Types of clients
    6. 7.2.2 Authorization grants
    7. 7.2.3 Discovering OAuth2 endpoints
    8. 7.3 The Authorization Code grant
    9. 7.3.1 Redirect URIs for different types of clients
    10. 7.3.2 Hardening code exchange with PKCE
    11. 7.3.3 Refresh tokens
    12. 7.4 Validating an access token
    13. 7.4.1 Token introspection
    14. 7.4.2 Securing the HTTPS client configuration
    15. 7.4.3 Token revocation
    16. 7.4.4 JWT access tokens
    17. 7.4.5 Encrypted JWT access tokens
    18. 7.4.6 Letting the AS decrypt the tokens
    19. 7.5 Single sign-on
    20. 7.6 OpenID Connect
    21. 7.6.1 ID tokens
    22. 7.6.2 Hardening OIDC
    23. 7.6.3 Passing an ID token to an API
    24. Answers to pop quiz questions
    25. Summary
  15. 8 Identity-based access control
    1. 8.1 Users and groups
    2. 8.1.1 LDAP groups
    3. 8.2 Role-based access control
    4. 8.2.1 Mapping roles to permissions
    5. 8.2.2 Static roles
    6. 8.2.3 Determining user roles
    7. 8.2.4 Dynamic roles
    8. 8.3 Attribute-based access control
    9. 8.3.1 Combining decisions
    10. 8.3.2 Implementing ABAC decisions
    11. 8.3.3 Policy agents and API gateways
    12. 8.3.4 Distributed policy enforcement and XACML
    13. 8.3.5 Best practices for ABAC
    14. Answers to pop quiz questions
    15. Summary
  16. 9 Capability-based security and macaroons
    1. 9.1 Capability-based security
    2. 9.2 Capabilities and REST
    3. 9.2.1 Capabilities as URIs
    4. 9.2.2 Using capability URIs in the Natter API
    5. 9.2.3 HATEOAS
    6. 9.2.4 Capability URIs for browser-based clients
    7. 9.2.5 Combining capabilities with identity
    8. 9.2.6 Hardening capability URIs
    9. 9.3 Macaroons: Tokens with caveats
    10. 9.3.1 Contextual caveats
    11. 9.3.2 A macaroon token store
    12. 9.3.3 First-party caveats
    13. 9.3.4 Third-party caveats
    14. Answers to pop quiz questions
    15. Summary
  17. Part 4. Microservice APIs in Kubernetes
  18. 10 Microservice APIs in Kubernetes
    1. 10.1 Microservice APIs on Kubernetes
    2. 10.2 Deploying Natter on Kubernetes
    3. 10.2.1 Building H2 database as a Docker container
    4. 10.2.2 Deploying the database to Kubernetes
    5. 10.2.3 Building the Natter API as a Docker container
    6. 10.2.4 The link-preview microservice
    7. 10.2.5 Deploying the new microservice
    8. 10.2.6 Calling the link-preview microservice
    9. 10.2.7 Preventing SSRF attacks
    10. 10.2.8 DNS rebinding attacks
    11. 10.3 Securing microservice communications
    12. 10.3.1 Securing communications with TLS
    13. 10.3.2 Using a service mesh for TLS
    14. 10.3.3 Locking down network connections
    15. 10.4 Securing incoming requests
    16. Answers to pop quiz questions
    17. Summary
  19. 11 Securing service-to-service APIs
    1. 11.1 API keys and JWT bearer authentication
    2. 11.2 The OAuth2 client credentials grant
    3. 11.2.1 Service accounts
    4. 11.3 The JWT bearer grant for OAuth2
    5. 11.3.1 Client authentication
    6. 11.3.2 Generating the JWT
    7. 11.3.3 Service account authentication
    8. 11.4 Mutual TLS authentication
    9. 11.4.1 How TLS certificate authentication works
    10. 11.4.2 Client certificate authentication
    11. 11.4.3 Verifying client identity
    12. 11.4.4 Using a service mesh
    13. 11.4.5 Mutual TLS with OAuth2
    14. 11.4.6 Certificate-bound access tokens
    15. 11.5 Managing service credentials
    16. 11.5.1 Kubernetes secrets
    17. 11.5.2 Key and secret management services
    18. 11.5.3 Avoiding long-lived secrets on disk
    19. 11.5.4 Key derivation
    20. 11.6 Service API calls in response to user requests
    21. 11.6.1 The phantom token pattern
    22. 11.6.2 OAuth2 token exchange
    23. Answers to pop quiz questions
    24. Summary
  20. Part 5. APIs for the Internet of Things
  21. 12 Securing IoT communications
    1. 12.1 Transport layer security
    2. 12.1.1 Datagram TLS
    3. 12.1.2 Cipher suites for constrained devices
    4. 12.2 Pre-shared keys
    5. 12.2.1 Implementing a PSK server
    6. 12.2.2 The PSK client
    7. 12.2.3 Supporting raw PSK cipher suites
    8. 12.2.4 PSK with forward secrecy
    9. 12.3 End-to-end security
    10. 12.3.1 COSE
    11. 12.3.2 Alternatives to COSE
    12. 12.3.3 Misuse-resistant authenticated encryption
    13. 12.4 Key distribution and management
    14. 12.4.1 One-off key provisioning
    15. 12.4.2 Key distribution servers
    16. 12.4.3 Ratcheting for forward secrecy
    17. 12.4.4 Post-compromise security
    18. Answers to pop quiz questions
    19. Summary
  22. 13 Securing IoT APIs
    1. 13.1 Authenticating devices
    2. 13.1.1 Identifying devices
    3. 13.1.2 Device certificates
    4. 13.1.3 Authenticating at the transport layer
    5. 13.2 End-to-end authentication
    6. 13.2.1 OSCORE
    7. 13.2.2 Avoiding replay in REST APIs
    8. 13.3 OAuth2 for constrained environments
    9. 13.3.1 The device authorization grant
    10. 13.3.2 ACE-OAuth
    11. 13.4 Offline access control
    12. 13.4.1 Offline user authentication
    13. 13.4.2 Offline authorization
    14. Answers to pop quiz questions
    15. Summary
  23. appendix A. Setting up Java and Maven
    1. A.1 Java and Maven
    2. A.1.1 macOS
    3. A.1.2 Windows
    4. A.1.3 Linux
    5. A.2 Installing Docker
    6. A.3 Installing an Authorization Server
    7. A.3.1 Installing ForgeRock Access Management
    8. A.4 Installing an LDAP directory server
    9. A.4.1 ForgeRock Directory Services
  24. appendix B. Setting up Kubernetes
    1. B.1 MacOS
    2. B.1.1 VirtualBox
    3. B.1.2 Minikube
    4. B.2 Linux
    5. B.2.1 VirtualBox
    6. B.2.2 Minikube
    7. B.3 Windows
    8. B.3.1 VirtualBox
    9. B.3.2 Minikube
  25. index
3.15.168.203