Welcome to Manning India!

A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.

Part 1: Foundations

1 What is API security?

1.1 An analogy: taking your driving test

1.2 What is an API?

1.3 API security in context

1.3.1 A typical API deployment

1.4 Elements of API security

1.4.1 Assets

1.4.2 Security goals

1.4.3 Environments and threat models

1.5 Security mechanisms

1.5.1 Identification and authentication

1.5.2 Access control and authorization

1.5.3 Audit logging

1.5.4 Rate-limiting

1.6 Summary

2 Secure API development

2.1 The Natter API

2.1.1 Overview of the Natter API

2.1.2 Implementation overview

2.1.3 Setting up the project

2.1.4 Initializing the database

2.2 Developing the REST API

2.2.1 Creating a new space

2.3 Wiring up the REST endpoints

2.3.1 Trying it out

2.4 Injection attacks

2.4.1 Preventing injection attacks

2.4.2 Mitigating SQL injection with permissions

2.5 Input validation

2.6 Producing safe output

2.6.1 Exploiting XSS Attacks

2.6.2 Preventing XSS

2.6.3 Implementing the protections

2.7 What hasn’t been covered

2.8 Summary

3 Securing the Natter API

3.1 Addressing threats with security controls

3.2 Rate-limiting for availability

3.2.1 Rate-limiting with Guava

3.3 Authentication to prevent spoofing

3.3.1 HTTP Basic authentication

3.3.2 Secure password storage with Scrypt

3.3.3 Registering users in the Natter API

3.3.4 Authenticating users in Natter

3.4 Using encryption to keep data private

3.4.1 Enabling HTTPS

3.4.2 Strict transport security

3.5 Audit logging for accountability

3.6 Access control

3.6.1 Enforcing authentication

3.6.2 Access control lists

3.6.3 Enforcing access control in Natter

3.6.4 Adding new members to a Natter space

3.6.5 Avoiding privilege escalation attacks

3.7 Summary

Part 2: Securing REST APIs

4 Session cookie authentication

4.1 Authentication in web browsers

4.1.1 Calling the Natter API from JavaScript

4.1.2 Intercepting form submission

4.1.3 Serving the HTML from the same origin

4.1.4 Drawbacks of HTTP authentication

4.2 Token-based authentication

4.2.1 A token store abstraction

4.2.2 Implementing token-based login

4.3 Session cookies

4.3.1 Avoiding session fixation attacks

4.3.2 Cookie security attributes

4.3.3 Validating session cookies

4.4 Preventing cross-site request forgery attacks

4.4.1 SameSite cookies

4.4.2 Hash-based double-submit cookies

4.4.3 Double-submit cookies for the Natter API

4.5 Building the Natter login UI

4.5.1 Calling the login API from JavaScript

4.6 Implementing logout

4.7 Summary

5 Modern token-based authentication

5.1 Allowing cross-domain requests with CORS

5.1.1 Preflight requests

5.1.2 CORS headers

5.1.3 Adding CORS headers to the Natter API

5.2 Tokens without cookies

5.2.1 Storing token state in a database

5.2.2 The Bearer authentication scheme

5.2.3 Deleting expired tokens

5.2.4 Storing tokens in Web Storage

5.2.5 Updating the CORS filter

5.2.6 XSS attacks on Web Storage

5.3 Hardening database token storage

5.3.1 Authenticating tokens with HMAC

5.3.2 Protecting sensitive attributes

5.4 Summary

6 Self-contained tokens and JWTs

6.1 Storing token state on the client

6.1.1 Encrypting sensitive attributes

6.1.2 Authenticated encryption and attacks on stream ciphers

6.2 Using types for secure API design

6.3 JSON Web Tokens

6.3.1 The standard JWT claims

6.3.2 The JOSE header

6.3.3 Producing valid JWTs

6.3.4 Encrypted JWTs

6.4 Handling token revocation

6.4.1 Implementing hybrid tokens

6.5 Summary

7 OAuth2 and OpenID Connect

7.1 Scoped tokens

7.1.1 Adding scoped tokens to Natter

7.1.2 The difference between scopes and permissions

7.2 Introducing OAuth2

7.2.1 Types of clients

7.2.2 Authorization grants

7.2.3 Discovering OAuth2 endpoints

7.3 The Authorization Code grant

7.3.1 Redirect URIs for different types of client

7.3.2 Hardening code exchange with PKCE

7.3.3 Refresh tokens

7.4 Validating an access token

7.4.1 Token introspection

7.4.2 Securing the HTTPS client configuration

7.4.3 Token revocation

7.4.4 JWT access tokens

7.4.5 Encrypted JWT access tokens

7.4.6 Letting the AS decrypt the tokens

7.5 Single sign-on

7.6 OpenID Connect

7.6.1 ID tokens

7.6.2 Hardening OIDC

7.6.3 Passing an ID token to an API

7.7 Summary

8 Identity-based access control

8.1 Users and groups

8.1.1 LDAP groups

8.2 Role-based access control

8.2.1 Mapping roles to permissions

8.2.2 Static roles

8.2.3 Determining user roles

8.2.4 Dynamic roles

8.3 Attribute-based access control

8.3.1 Combining decisions

8.3.2 Implementing ABAC decisions

8.3.3 Policy agents and API gateways

8.3.4 Distributed policy enforcement and XACML

8.3.5 Best practices for ABAC

8.4 Summary

Part 3: Securing Microservice APIs in Kubernetes

9 Capability-based security and Macaroons

9.1 Capability-based security

9.2 Capabilities and REST

9.2.1 Capabilities as URIs

9.2.2 Using capability URIs in the Natter API

9.2.3 HATEOAS

9.2.4 Hardening capability URIs

9.2.5 Combining capabilities with identity

9.3 Macaroons: capabilities with caveats

9.3.1 First-party caveats

9.3.2 Third-party caveats

9.4 Summary

10 Microservice APIs in Kubernetes

10.1 Microservice APIs on Kubernetes

10.2 Deploying Natter on Kubernetes

10.2.1 Building H2 database as a Docker container

10.2.2 Deploying the database to Kubernetes

10.2.3 Answers are at the end of the chapter.Building the Natter API as a Docker container

10.2.4 The link-preview microservice

10.2.5 Deploying the new microservice

10.2.6 Calling the link-preview microservice

10.2.7 Preventing SSRF attacks

10.2.8 DNS rebinding attacks

10.3 Securing microservice communications

10.3.1 Securing communications with TLS

10.3.2 Using a service mesh for TLS

10.3.3 Locking down network connections

10.4 Securing incoming requests

10.5 Summary

11 Securing service-to-service APIs

11.1 API keys and JWT bearer authentication

11.2 The OAuth2 client credentials grant

11.2.1 Service accounts

11.3 The JWT bearer grant for OAuth2

11.3.1 Client authentication

11.3.2 Service account authentication

11.4 Mutual TLS authentication

11.4.1 How TLS certificate authentication works

11.4.2 Client certificate authentication

11.4.3 Verifying client identity

11.4.4 Using a service mesh

11.4.5 Mutual TLS with OAuth2

11.4.6 Certificate-bound access tokens

11.5 Managing service credentials

11.5.1 Kubernetes secrets

11.5.2 Key and secret management services

11.5.3 Avoiding long-lived secrets on disk

11.5.4 Key derivation

11.6 Service API calls in response to user requests

11.6.1 The phantom token pattern

11.6.2 OAuth2 token exchange

11.7 Summary

Part 4: Securing Internet of Things APIs

12 Protecting communications in the IoT

13 Authenticating Things

14 OAuth 2.0 in constrained environments

Appendixes

Appendix A: A Setting up Java and Maven

A.1 Java and Maven

A.1.1 Mac OS X

A.1.2 Windows

A.1.3 Linux

A.2 Installing Docker

A.3 Installing an Authorization Server

A.3.1 Installing ForgeRock Access Management

A.3.2 Installing an open source AS

A.4 Installing an LDAP directory server

A.4.1 ForgeRock Directory Services

A.4.2 Installing an open source LDAP directory server

Appendix B: B Setting up Kubernetes

B.1 MacOS

B.1.1 VirtualBox

B.1.2 Minikube

B.2 Linux

B.2.1 VirtualBox

B.2.2 Minikube

B.3 Windows

B.3.1 VirtualBox

B.3.2 Minikube

About the Technology

Web APIs are the foundation of interconnected IT architecture. With applications now dependent on third-party apps and services for essential tasks, the threats are increasingly complex and the need to secure them is more critical than ever. RESTful web services, microservices, the Internet of Things, and cloud-hosted applications all bring unique security challenges that demand new approaches to API security.

About the book

API Security in Action shows you how to create secure web APIs that you can confidently share with your business partners and expose for public usage. Security expert Neil Madden takes you under the hood of modern API security concepts, including token-based authentication for flexible multi-user security, bootstrapping a secure environment in a Kubernetes microservices architecture, and using lightweight cryptography to secure an IoT device. Chapter-by-chapter, you’ll build new layers of security onto a basic social network API, mastering techniques to protect against increasingly complex threat models and hostile environments. When you’re done, you’ll have the practical skills to design and implement APIs that are safe from most common attacks and are ready for the threats of tomorrow.

What's inside

The main API security controls: authentication, authorization, audit logging, rate limiting, and encryption
Token-based authentication in web browsers and mobile clients
Cloud Key Management Services in a Kubernetes environment
Delegated authorization using OAuth 2.0

About the reader

For developers with intermediate Java knowledge and experience building RESTful APIs.

About the author

Neil Madden is Security Director at ForgeRock and has an in-depth knowledge of applied cryptography, application security, and current API security technologies. He has worked as a programmer for 20 years and holds a PhD in Computer Science.

Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.

11 of 14 chapters available

MEAP combo $59.99 pBook + eBook + liveBook

API Security in Action (combo) added to cart

continue shopping go to cart

continue shopping

go to cart

Subtotal:	$59.99
Shipping:	---
Total:	---