⚕️API Security' best practice

Authentication - Avoid ‘Basic Authentication’, use standard (e.g. JWT)'

Explain the 'API Security' best practice 'Authentication > Avoid ‘Basic Authentication’, use standard (e.g. JWT)'

Basic Authentication is a very simple and widely supported authentication method. When you use it, your client sends a username and password with every request, encoded in Base64 and included in the Authorization header.

The main reasons to avoid Basic Authentication for APIs are:

1. Lack of Security: While Base64 encoding sounds like encryption, it's not. It's just an encoding scheme, and the credentials can be easily decoded by anyone who intercepts the request. This means your username and password are sent in clear text (or easily decodable clear text) over the network.

2. Statelessness Issue (and overuse of credentials): With Basic Auth, you'd typically send the

Explain the 'API Security' best practice 'Authentication > Avoid ‘Basic Authentication’, use standard (e.g. JWT)'

Basic Authentication is a very simple and widely supported authentication method. When you use it, your client sends a username and password with every request, encoded in Base64 and included in the Authorization header.

The main reasons to avoid Basic Authentication for APIs are:

1. Lack of Security: While Base64 encoding sounds like encryption, it's not. It's just an encoding scheme, and the credentials can be easily decoded by anyone who intercepts the request. This means your username and password are sent in clear text (or easily decodable clear text) over the network.

2. Statelessness Issue (and overuse of credentials): With Basic Auth, you'd typically send the credentials with every single request. This means if an attacker intercepts any request, they get your credentials.

3. Vulnerability to Replay Attacks: If an attacker captures an authenticated request, they could potentially replay it to impersonate the user.

Instead, the best practice is to use modern, standard authentication methods like JSON Web Tokens (JWT). Here's how JWTs work and why they are better:

• How JWTs work:

  1. The user first authenticates with the server (e.g., by providing username/password).

  2. If successful, the server issues a JWT, which is a digitally signed, compact, URL-safe means of representing claims (like user ID, roles, expiry time) between two parties.

  3. The client then stores this JWT (e.g., in local storage or a cookie) and includes it in the Authorization header of subsequent requests (usually as a "Bearer" token).

  4. The server verifies the token's signature to ensure it hasn't been tampered with and checks its claims (like expiry) to authorize the request.

• Advantages of JWTs (and similar standard tokens):

  • Statelessness (Server-side): Once a JWT is issued, the server doesn't need to store session information. Each request containing a valid token can be authenticated independently.

  • Security: JWTs are digitally signed (usually with a secret key or a public/private key pair), making them tamper-proof. While the content is not encrypted by default (it's Base64 encoded, like Basic Auth), the signature prevents malicious modification. If you need confidentiality, you'd use JWE (JSON Web Encryption).

  • Reduced Credential Exposure: The actual username and password are only sent once to obtain the token. Subsequent requests use the token, which typically has a shorter lifespan and can be revoked.

  • Flexibility: JWTs can carry various claims, allowing for fine-grained authorization policies.

By using methods like JWT, you significantly enhance the security of your APIs by reducing the risk of credentials being compromised and providing a more robust authentication mechanism.

Basic Authentication is a very simple and widely supported authentication method. When you use it, your client sends a username and password with every request, encoded in Base64 and included in the Authorization header.

The main reasons to avoid Basic Authentication for APIs, especially in production or for sensitive data, are:

1. Lack of Real Security: While Base64 encoding sounds like encryption, it's not. It's merely an encoding scheme that can be easily reversed. This means if an attacker intercepts your API requests (and you're not using HTTPS, which you absolutely must with Basic Auth), they can trivially decode the username and password, gaining access to your system. Even with HTTPS, if the token or request is logged somewhere insecurely, the credentials are directly exposed.

2. Credential Exposure on Every Request: With Basic Auth, your actual username and password (even if encoded) are sent with every single request. This increases the attack surface significantly. If any one of those requests is compromised, your core credentials are at risk.

3. No Built-in Session Management: Basic Auth is stateless in the sense that the server doesn't maintain a session. Each request requires re-authentication, which often means sending the full credentials again.

Why use standard token-based authentication like JWT (JSON Web Tokens):

Token-based authentication, such as JWTs, addresses these issues by introducing an intermediary token:

1. One-Time Credential Exchange: The user (or client application) sends their username and password to the server only once to log in.

2. Token Issuance: If the credentials are valid, the server issues a unique, cryptographically signed token (like a JWT) back to the client. This token represents the client's authenticated session.

3. Token for Subsequent Requests: For all subsequent API calls, the client sends this token instead of their actual username and password. The server then validates the token.

4. Reduced Credential Exposure: The actual credentials are no longer sent with every request, significantly reducing their exposure. If a token is compromised, it's typically an expiring token, not the user's permanent credentials.

5. Security Features:

   • Signed Tokens: JWTs are digitally signed, meaning the server can verify that the token hasn't been tampered with since it was issued. This ensures the integrity of the information within the token.

   • Expiration: JWTs can have an expiry time, making them valid only for a limited period. This limits the window of opportunity for an attacker if a token is stolen.

   • Statelessness (Server-Side): The server doesn't need to store session information for each user, as the token itself contains all necessary information about the user and their permissions. This is great for scalability.

In essence, using JWTs or similar token-based standards provides a more secure, flexible, and scalable way to handle authentication in modern APIs compared to the direct and less secure approach of Basic Authentication.

One-Time Credential Exchange - How and is it clear text?

Let's break down the "One-Time Credential Exchange" for JWTs:

How it works (the "How"):

1. Client Initiates Login: When a user wants to log in to an application that uses JWTs, they typically enter their username (or email) and password into a login form.

2. Client Sends Credentials to Server: The client-side application (e.g., a web browser, mobile app) takes these credentials and sends them to a specific authentication endpoint on your API server. This is usually done via an HTTP POST request.

3. Server Verifies Credentials: The API server receives this request, checks the provided username and password against its user database (e.g., hashing the password and comparing it).

4. Server Issues JWT: If the credentials are valid, the server generates a JSON Web Token (JWT), signs it with a secret key, and sends it back to the client in the response.

5. Client Stores JWT: The client-side application then stores this JWT (e.g., in a cookie, local storage, or session storage) for future use.

Is it clear text? (The crucial part):

No, the credentials themselves should NOT be sent in clear text.

This is where HTTPS (HTTP Secure) becomes absolutely critical.

• When you use HTTPS, the entire communication channel between the client and the server is encrypted using SSL/TLS.

• This encryption happens before any application-level data (like your username and password) is sent over the network.

• So, even though your application code might be sending a plain text username and password within the body of an HTTP POST request, the underlying HTTPS layer encrypts that entire request payload. If an attacker intercepts the network traffic, they will only see scrambled, encrypted data, not your actual credentials.

To be absolutely clear:

• Without HTTPS: If you were to send a username and password over plain HTTP (not HTTPS), it would be transmitted in clear, readable text over the network, making it incredibly vulnerable to eavesdropping. This is a massive security flaw.

• With HTTPS: The moment the user clicks "login," the browser (or app) packages the username and password into a request. Before sending it, the HTTPS protocol encrypts this entire package. Only the server, which possesses the corresponding decryption key, can successfully decrypt and read the credentials.

Therefore, the "One-Time Credential Exchange" is secure only if you are exclusively using HTTPS for all communication with your API. This is a fundamental security requirement for any web or API application dealing with sensitive information.

Explain the 'API Security' best practice 'Authentication > Do not reinvent the wheel in authentication mechanisms'

Here's why it's so important:

• Security by Design: Authentication mechanisms are incredibly complex, and getting them right requires deep security expertise. Established standards and libraries (like OAuth 2.0, OpenID Connect, JWT, etc.) have been developed by security professionals, rigorously tested, and battle-hardened over many years. They account for many attack vectors that a custom solution might overlook.

• Reduced Vulnerabilities: When you "reinvent the wheel," you introduce a high risk of inadvertently creating security vulnerabilities. Even small flaws in an authentication system can have catastrophic consequences, such as unauthorized access or data breaches.

• Maintenance and Updates: Keeping a custom authentication system secure is an ongoing effort. You'd be responsible for monitoring new attack techniques, patching vulnerabilities, and updating your system, which is a significant burden. Using existing solutions means you benefit from a community of developers and security experts who maintain and update these systems.

• Interoperability: Standardized authentication methods often allow for easier integration with other services and platforms.

In short, unless you are a security expert with a compelling reason and ample resources, always opt for proven, off-the-shelf authentication solutions to ensure the highest level of security for your API.

Explain the 'API Security' best practice 'Authentication > Use ‘Max Retry’ and jail features in login'

The 'Max Retry' and 'jail features' in login are crucial security measures designed to prevent brute-force attacks on your API's authentication system.

Here's what they mean:

• Max Retry (or Rate Limiting for Login): This feature limits the number of failed login attempts a user (or more accurately, an IP address or username) can make within a specific timeframe. For example, after 5 failed attempts in 5 minutes, the system might temporarily block further login attempts from that IP address or for that username. This prevents attackers from rapidly trying thousands of password combinations.

• Jail Features (or Account Lockout): When the 'Max Retry' limit is exceeded, the "jail" or account lockout feature comes into play. It temporarily (or sometimes permanently, depending on configuration) locks out the account or blocks the IP address that made too many failed attempts. This means even if the attacker eventually guesses the correct password, they won't be able to log in until the lockout period expires. This further deters brute-force attacks and protects legitimate user accounts.

Implementing these features makes it significantly harder for malicious actors to guess user credentials, enhancing the overall security of your API.

Explain the 'API Security' best practice 'Authentication > Use encryption on all sensitive data'

When dealing with sensitive data in APIs, it's absolutely crucial to encrypt it both when it's being sent between systems (in transit) and when it's stored (at rest). This ensures that if unauthorized individuals manage to access the data, they won't be able to read or use it because it will be scrambled.

Let's break it down:

• Encryption in Transit: This means encrypting data as it travels across networks, like from a user's browser to your server, or between different services within your infrastructure. The most common and essential way to achieve this is by using HTTPS (which relies on TLS/SSL). HTTPS encrypts the entire communication channel, so any data passing through it is protected. If an attacker intercepts the data packet, all they'll see is meaningless ciphertext.

• Encryption at Rest: This involves encrypting data when it's stored in databases, on hard drives, in cloud storage buckets, or any other persistent storage. Even if an attacker somehow bypasses your network defenses and gains access to your servers or storage devices, the data itself remains encrypted. They would then need the encryption key to decrypt it, which should be stored separately and securely.

By implementing encryption at both stages, you create multiple layers of defense, significantly reducing the risk of data breaches and protecting sensitive information from falling into the wrong hands.

Explain the 'API Security' best practice 'JSON Web Tokens (JWT) > Use good JWT Secret to make brute-force attacks difficult'

The 'JWT Secret' is a critical component for the security of your JSON Web Tokens (JWTs). It's essentially a secret key that your server uses to sign and verify the integrity of a JWT.

Here's why using a "good" (i.e., strong) JWT Secret is vital for preventing brute-force attacks:

1. JWT Signature: When a JWT is created, the header, payload, and your secret key are cryptographically combined to create a unique signature. This signature is appended to the token.

2. Verification: When your server receives a JWT, it recalculates the signature using the same header, payload, and its secret key. If the calculated signature matches the one in the token, the server knows:

   • The token hasn't been tampered with.

   • The token was issued by your server (or an authorized entity sharing the secret).

3. Brute-Force Attack Scenario: An attacker might try to forge a JWT or alter an existing one to gain unauthorized access. If they don't know your secret, they can't generate a valid signature. A brute-force attack on the JWT secret involves systematically trying different possible secrets until one is found that produces a valid signature for a given (known) JWT.

What makes a "good" JWT Secret?

To make brute-force attacks difficult, your JWT secret must be:

• Long: The longer the secret, the more possible combinations an attacker has to try, making it exponentially harder to guess. A common recommendation is at least 32 bytes (256 bits) for HMAC SHA-256.

• Random and Complex: It should be a truly random string of characters, including uppercase and lowercase letters, numbers, and symbols. Avoid using predictable patterns, common words, or easily guessable phrases.

• Unique: Never reuse secrets across different environments or applications.

• Securely Stored: The secret should never be hardcoded in your application's source code, committed to version control, or exposed publicly. It should be loaded from secure environment variables, a dedicated secret management service (like AWS Secrets Manager, HashiCorp Vault), or a secure configuration file.

• Rotated Regularly: Periodically changing your secret further reduces the window of opportunity for an attacker if it were ever compromised.

By using a strong, random, and securely managed JWT secret, you significantly increase the computational effort required for an attacker to guess it, thus protecting the integrity and authenticity of your JWTs and securing your API.

Explain the 'API Security' best practice 'JSON Web Tokens (JWT) > Do not extract the algorithm from the header, use backend'

This best practice highlights a critical security vulnerability known as "Algorithm Confusion" or "None Algorithm" attacks in JWTs if not handled correctly.

Here's the breakdown:

1. The alg (Algorithm) Header Field: A JSON Web Token (JWT) has a header that typically includes a field named alg. This field specifies the cryptographic algorithm used to sign the token (e.g., HS256, RS256). This signature is what allows your backend to verify the token's authenticity and ensure it hasn't been tampered with.

2. The Vulnerability: Trusting the Header Blindly: If your backend code blindly extracts the alg value from the JWT header and then uses that specified algorithm to verify the token, you open yourself up to a severe attack.

   • Algorithm Downgrade/Confusion: An attacker can modify a legitimate token's header to change the alg field to a different, weaker algorithm, or even to none (meaning no signature).

   • HS256 vs. RS256 Example:

     • RS256 uses an asymmetric key pair: a private key to sign the token and a public key to verify it. The public key is often shared.

     • HS256 uses a symmetric secret key: the same secret key is used to both sign and verify the token. If your server expects RS256 but an attacker changes the alg to HS256 and your backend trusts this change, the server might try to verify the token using HS256. The critical flaw here is if the backend then attempts to use its public key (which it would normally use for RS256 verification) as the symmetric secret for HS256 verification. Since the attacker likely has access to the public key, they can sign a new token using HS256 with the public key as the "secret." Your server, now configured to verify with HS256 using its own public key as the secret, would then validate the attacker's forged token as legitimate!

3. The Solution: Use Backend-Defined Algorithm: The secure way to handle JWT verification is to never trust the alg value in the token's header.

   Instead:

   • Your backend should have a pre-defined, explicit, and hardcoded list of acceptable algorithms (e.g., "tokens from this issuer must be signed with RS256").

   • When a token arrives, your backend should attempt to verify it using only the expected, predefined algorithm(s), regardless of what the alg field in the token header says. If the alg in the token's header doesn't match your expected algorithms, the token should be rejected.

By doing this, you prevent attackers from manipulating the signing algorithm and ensure that tokens are always verified with the strong, intended cryptographic method.

𝐀𝐏𝐈 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐁𝐞𝐬𝐭 𝐏𝐫𝐚𝐜𝐭𝐢𝐜𝐞𝐬

➤ 1. Use HTTPS → Ensure all API communication is encrypted to prevent data interception and man-in-the-middle attacks.

➤ 2. Input Validation → Sanitize and validate all incoming data to defend against injection attacks and malformed requests.

➤ 3. Use API Gateway → Acts as a central control point to manage traffic, apply policies, and enforce security at scale.

➤ 4. API Versioning → Maintain backward compatibility and security posture by versioning APIs during updates.

➤ 5. Rate Limiting → Prevent abuse and DDoS attacks by capping the number of requests a client can make over a time period.

➤ 6. Authorization → Ensure users only access resources they’re allowed to by enforcing role-based or policy-based access control.

➤ 7. Use OAuth2 → Implement secure, delegated access with token-based authorization to reduce credential exposure.

➤ 8. Use WebAuthn → Adopt modern, phishing-resistant authentication using public-key cryptography.

➤ 9. Use Leveled API Keys → Assign different permission levels to API keys based on usage scope and access needs.

➤ 10. Error Handling → Avoid revealing system internals through error messages; provide only necessary information.

➤ 11. Allowlist Trusted Clients → Restrict access to trusted IP addresses or services to reduce exposure to unauthorized actors.

➤ 12. Check OWASP API Security Risks → Regularly assess your APIs against the OWASP API Security Top 10 to identify and mitigate vulnerabilities.

𝟖 𝐜𝐫𝐢𝐭𝐢𝐜𝐚𝐥 𝐝𝐨𝐦𝐚𝐢𝐧𝐬

Here's my cheat sheet for designing secure systems that actually work in production 👇

𝟏. 𝐃𝐈𝐒𝐀𝐒𝐓𝐄𝐑 𝐑𝐄𝐂𝐎𝐕𝐄𝐑𝐘 Scenarios to Protect: • Data center failure • Ransomware attack • Human error deletion

Design Points: → RTO: <15 min for critical systems → Automated failover → Multi-region backup → Regular DR drills

𝟐. 𝐀𝐔𝐓𝐇𝐄𝐍𝐓𝐈𝐂𝐀𝐓𝐈𝐎𝐍 Scenarios to Protect: • Credential theft • Session hijacking • Privilege escalation

Design Points: → Multi-factor authentication (MFA) → Zero-trust architecture → Just-in-time access → Strong password policies

𝟑. 𝐄𝐍𝐂𝐑𝐘𝐏𝐓𝐈𝐎𝐍 Scenarios to Protect: • Data breaches • Man-in-middle attacks → Unauthorized access

Design Points: → End-to-end encryption → TLS 1.3 for data transit → AES-256 for data at rest → Key rotation policies

𝟒. 𝐀𝐔𝐓𝐇𝐎𝐑𝐈𝐙𝐀𝐓𝐈𝐎𝐍 Scenarios to Protect: • Lateral movement • Over-privileged access • Compliance violations

Design Points: → Role-based access (RBAC) → Least privilege principle → Regular access reviews → Attribute-based control

𝟓. 𝐕𝐔𝐋𝐍𝐄𝐑𝐀𝐁𝐈𝐋𝐈𝐓𝐘 𝐌𝐀𝐍𝐀𝐆𝐄𝐌𝐄𝐍𝐓 Scenarios to Protect: • Zero-day exploits • Unpatched systems • Configuration drift

Design Points: → Continuous scanning → Patch management SLA → Vulnerability assessment → Proactive security patches

𝟔. 𝐀𝐔𝐃𝐈𝐓 & 𝐂𝐎𝐌𝐏𝐋𝐈𝐀𝐍𝐂𝐄 Scenarios to Protect: • Regulatory violations → Unauthorized changes → Evidence gaps

Design Points: → Centralized logging → Immutable audit trails → Real-time monitoring → Compliance automation

𝟕. 𝐍𝐄𝐓𝐖𝐎𝐑𝐊 𝐒𝐄𝐂𝐔𝐑𝐈𝐓𝐘 Scenarios to Protect: • DDoS attacks • Network intrusion • Data exfiltration

Design Points: → Zero-trust networking → Micro-segmentation → WAF/IDS/IPS deployment → Intrusion detection

𝟖. 𝐀𝐏𝐈 𝐒𝐄𝐂𝐔𝐑𝐈𝐓𝐘 Scenarios to Protect: • API abuse • Data leakage • Injection attacks

Design Points: → Rate limiting → OAuth 2.0 / JWT → Input validation → API gateway enforcement

THE REALITY:

Most security breaches happen because organizations: → Focus on 2-3 domains, ignore the rest → Implement tools without strategy → Think compliance = security → Treat security as a one-time project