A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.

Part 1: Foundations

1 What is API security?

1.1 Taking your driving test

1.2 What is an API?

1.3 API security in context

1.3.1 A typical API deployment

1.4 Elements of API security

1.4.1 Assets

1.4.2 Security goals

1.4.3 Environments and threat models

1.5 Security mechanisms

1.5.1 Identification and authentication

1.5.2 Access control and authorization

1.5.3 Audit logging

1.5.4 Rate-limiting

1.6 Summary

2 Secure API development

2.1 The Natter API

2.1.1 Overview of the Natter API

2.1.2 Implementation overview

2.1.3 Setting up the project

2.1.4 Initializing the database

2.2 Developing the REST API

2.2.1 Creating a new space

2.3 Wiring up the REST endpoints

2.3.1 Trying it out

2.3.2 Injection attacks

2.3.3 Preventing injection attacks

2.3.4 Mitigating SQL injection with permissions

2.3.5 Using a higher-level database library

2.4 Input validation

2.5 Producing safe output

2.5.1 Exploiting XSS Attacks

2.5.2 Preventing XSS

2.5.3 Implementing the protections

2.6 What hasn’t been covered

2.7 Summary

3 Securing the Natter API

3.1 Threats against an API

3.2 Addressing threats with security controls

3.3 Rate-limiting for availability

3.3.1 Rate-limiting with Guava

3.4 Authentication to prevent spoofing

3.4.1 HTTP Basic authentication

3.4.2 Secure password storage with Scrypt

3.4.3 Registering users in the Natter API

3.4.4 Authenticating users in Natter

3.5 Using encryption to keep data private

3.6 Audit logging for accountability

3.7 Access control

3.7.1 Enforcing authentication

3.7.2 Access control lists

3.7.3 Enforcing access control in Natter

3.7.4 Adding new members to a Natter space

3.7.5 Avoiding privilege escalation attacks

3.8 Summary

Part 2: Securing REST APIs

4 Session cookie authentication

4.1.1 Calling the Natter API from JavaScript

4.2 Authentication in web browsers

4.2.1 Intercepting form submission

4.2.2 Serving the HTML from the same origin

4.2.3 Drawbacks of HTTP authentication

4.3 Token-based authentication

4.3.1 A token store abstraction

4.3.2 Implementing token-based login

4.4 Session cookies

4.4.1 Avoiding session fixation attacks

4.4.2 Cookie security attributes

4.4.3 Validating session cookies

4.5 Preventing cross-site request forgery attacks

4.5.1 SameSite cookies

4.5.2 Hash-based double-submit cookies

4.5.3 Double-submit cookies for the Natter API

4.6 Building the Natter login UI

4.6.1 Calling the login API from JavaScript

4.7 Implementing logout

4.8 Summary

5 Modern token-based authentication

6 OAuth 2.0 and OpenID Connect

7 Identity-based access control

8 Capability security and Macaroons

Part 3: Securing Microservice APIs in Kubernetes

9 Service accounts

10 OAuth 2 for microservices

11 User authorization in Kubernetes

Part 4: Securing Internet of Things APIs

12 Protecting communications in the IoT

13 Authenticating Things

14 OAuth 2.0 in constrained environments

Appendixes

Appendix A: Setting up Java and Maven

A.1 Mac OS X

A.1.1 Installing Java 11

A.1.2 Installing Maven

A.2 Windows

A.3 Linux

About the Technology

Web APIs are the foundation of interconnected IT architecture. With applications now dependent on third-party apps and services for essential tasks, the threats are increasingly complex and the need to secure them is more critical than ever. RESTful web services, microservices, the Internet of Things, and cloud-hosted applications all bring unique security challenges that demand new approaches to API security.

About the book

API Security in Action shows you how to create secure web APIs that you can confidently share with your business partners and expose for public usage. Security expert Neil Madden takes you under the hood of modern API security concepts, including token-based authentication for flexible multi-user security, bootstrapping a secure environment in a Kubernetes microservices architecture, and using lightweight cryptography to secure an IoT device. Chapter-by-chapter, you’ll build new layers of security onto a basic social network API, mastering techniques to protect against increasingly complex threat models and hostile environments. When you’re done, you’ll have the practical skills to design and implement APIs that are safe from most common attacks and are ready for the threats of tomorrow.

What's inside

The main API security controls: authentication, authorization, audit logging, rate limiting, and encryption
Token-based authentication in web browsers and mobile clients
Cloud Key Management Services in a Kubernetes environment
Delegated authorization using OAuth 2.0

About the reader

For developers with intermediate Java knowledge and experience building RESTful APIs.

About the author

Neil Madden is Security Director at ForgeRock and has an in-depth knowledge of applied cryptography, application security, and current API security technologies. He has worked as a programmer for 20 years and holds a PhD in Computer Science.

Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.

4 of 14 chapters available

MEAP combo $59.99 pBook + eBook + liveBook

API Security in Action (combo) added to cart

continue shopping go to cart

continue shopping

go to cart

Subtotal:	$59.99
Shipping:	---
Total:	---