API Security in Action
Neil Madden
  • MEAP began June 2019
  • Publication in Early 2021 (estimated)
  • ISBN 9781617296024
  • 540 pages (estimated)
  • printed in black & white

As developers, we have the responsability to educate ourselves on this vital topic in order to protect our users. With this very approachable book, we don't have any excuse not to.

Marc Roulleau
A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.

About the Technology

Web APIs are the foundation of interconnected IT architecture. With applications now dependent on third-party apps and services for essential tasks, the threats are increasingly complex and the need to secure them is more critical than ever. RESTful web services, microservices, the Internet of Things, and cloud-hosted applications all bring unique security challenges that demand new approaches to API security.

About the book

API Security in Action shows you how to create secure web APIs that you can confidently share with your business partners and expose for public usage. Security expert Neil Madden takes you under the hood of modern API security concepts, including token-based authentication for flexible multi-user security, bootstrapping a secure environment in a Kubernetes microservices architecture, and using lightweight cryptography to secure an IoT device. Chapter-by-chapter, you’ll build new layers of security onto a basic social network API, mastering techniques to protect against increasingly complex threat models and hostile environments. When you’re done, you’ll have the practical skills to design and implement APIs that are safe from most common attacks and are ready for the threats of tomorrow.
Table of Contents detailed table of contents

Part 1: Foundations

1 What is API security?

1.1 An analogy: taking your driving test

1.2 What is an API?

1.3 API security in context

1.3.1 A typical API deployment

1.4 Elements of API security

1.4.1 Assets

1.4.2 Security goals

1.4.3 Environments and threat models

1.5 Security mechanisms

1.5.1 Identification and authentication

1.5.2 Access control and authorization

1.5.3 Audit logging

1.5.4 Rate-limiting

1.6 Summary

2 Secure API development

2.1 The Natter API

2.1.1 Overview of the Natter API

2.1.2 Implementation overview

2.1.3 Setting up the project

2.1.4 Initializing the database

2.2 Developing the REST API

2.2.1 Creating a new space

2.3 Wiring up the REST endpoints

2.3.1 Trying it out

2.4 Injection attacks

2.4.1 Preventing injection attacks

2.4.2 Mitigating SQL injection with permissions

2.5 Input validation

2.6 Producing safe output

2.6.1 Exploiting XSS Attacks

2.6.2 Preventing XSS

2.6.3 Implementing the protections

2.7 What hasn’t been covered

2.8 Summary

3 Securing the Natter API

3.1 Addressing threats with security controls

3.2 Rate-limiting for availability

3.2.1 Rate-limiting with Guava

3.3 Authentication to prevent spoofing

3.3.1 HTTP Basic authentication

3.3.2 Secure password storage with Scrypt

3.3.3 Registering users in the Natter API

3.3.4 Authenticating users in Natter

3.4 Using encryption to keep data private

3.4.1 Enabling HTTPS

3.4.2 Strict transport security

3.5 Audit logging for accountability

3.6 Access control

3.6.1 Enforcing authentication

3.6.2 Access control lists

3.6.3 Enforcing access control in Natter

3.6.4 Adding new members to a Natter space

3.6.5 Avoiding privilege escalation attacks

3.7 Summary

Part 2: Securing REST APIs

4 Session cookie authentication

4.1 Authentication in web browsers

4.1.1 Calling the Natter API from JavaScript

4.1.2 Intercepting form submission

4.1.3 Serving the HTML from the same origin

4.1.4 Drawbacks of HTTP authentication

4.2 Token-based authentication

4.2.1 A token store abstraction

4.2.2 Implementing token-based login

4.3 Session cookies

4.3.1 Avoiding session fixation attacks

4.3.3 Validating session cookies

4.4 Preventing cross-site request forgery attacks

4.4.1 SameSite cookies

4.4.2 Hash-based double-submit cookies

4.4.3 Double-submit cookies for the Natter API

4.5 Building the Natter login UI

4.5.1 Calling the login API from JavaScript

4.6 Implementing logout

4.7 Summary

5 Modern token-based authentication

5.1 Allowing cross-domain requests with CORS

5.1.1 Preflight requests

5.1.2 CORS headers

5.1.3 Adding CORS headers to the Natter API

5.2 Tokens without cookies

5.2.1 Storing token state in a database

5.2.2 The Bearer authentication scheme

5.2.3 Deleting expired tokens

5.2.4 Storing tokens in Web Storage

5.2.5 Updating the CORS filter

5.2.6 XSS attacks on Web Storage

5.3 Hardening database token storage

5.3.1 Hashing database tokens

5.3.2 Authenticating tokens with HMAC

5.3.3 Protecting sensitive attributes

5.4 Summary

6 Self-contained tokens and JWTs

6.1 Storing token state on the client

6.1.1 Protecting JSON tokens with HMAC

6.2 JSON Web Tokens

6.2.1 The standard JWT claims

6.2.2 The JOSE header

6.2.3 Generating standard JWTs

6.2.4 Validating a signed JWT

6.3 Encrypting sensitive attributes

6.3.1 Authenticated encryption

6.3.2 Authenticated encryption with NaCl

6.3.3 Encrypted JWTs

6.3.4 Using a JWT library

6.4 Using types for secure API design

6.5 Handling token revocation

6.5.1 Implementing hybrid tokens

6.6 Summary

7 OAuth2 and OpenID Connect

7.1 Scoped tokens

7.1.1 Adding scoped tokens to Natter

7.1.2 The difference between scopes and permissions

7.2 Introducing OAuth2

7.2.1 Types of clients

7.2.2 Authorization grants

7.2.3 Discovering OAuth2 endpoints

7.3 The Authorization Code grant

7.3.1 Redirect URIs for different types of client

7.3.2 Hardening code exchange with PKCE

7.3.3 Refresh tokens

7.4 Validating an access token

7.4.1 Token introspection

7.4.2 Securing the HTTPS client configuration

7.4.3 Token revocation

7.4.4 JWT access tokens

7.4.5 Encrypted JWT access tokens

7.4.6 Letting the AS decrypt the tokens

7.5 Single sign-on

7.6 OpenID Connect

7.6.1 ID tokens

7.6.2 Hardening OIDC

7.6.3 Passing an ID token to an API

7.7 Summary

8 Identity-based access control

8.1 Users and groups

8.1.1 LDAP groups

8.2 Role-based access control

8.2.1 Mapping roles to permissions

8.2.2 Static roles

8.2.3 Determining user roles

8.2.4 Dynamic roles

8.3 Attribute-based access control

8.3.1 Combining decisions

8.3.2 Implementing ABAC decisions

8.3.3 Policy agents and API gateways

8.3.4 Distributed policy enforcement and XACML

8.3.5 Best practices for ABAC

8.4 Summary

Part 3: Securing Microservice APIs in Kubernetes

9 Capability-based security and Macaroons

9.1 Capability-based security

9.2 Capabilities and REST

9.2.1 Capabilities as URIs

9.2.2 Using capability URIs in the Natter API


9.2.4 Hardening capability URIs

9.2.5 Combining capabilities with identity

9.3 Macaroons: capabilities with caveats

9.3.1 First-party caveats

9.3.2 Third-party caveats

9.4 Summary

10 Microservice APIs in Kubernetes

10.1 Microservice APIs on Kubernetes

10.2 Deploying Natter on Kubernetes

10.2.1 Building H2 database as a Docker container

10.2.2 Deploying the database to Kubernetes

10.2.3 Answers are at the end of the chapter.Building the Natter API as a Docker container

10.2.5 Deploying the new microservice

10.2.7 Preventing SSRF attacks

10.2.8 DNS rebinding attacks

10.3 Securing microservice communications

10.3.1 Securing communications with TLS

10.3.2 Using a service mesh for TLS

10.3.3 Locking down network connections

10.4 Securing incoming requests

10.5 Summary

11 Securing service-to-service APIs

11.1 API keys and JWT bearer authentication

11.2 The OAuth2 client credentials grant

11.2.1 Service accounts

11.3 The JWT bearer grant for OAuth2

11.3.1 Client authentication

11.3.2 Service account authentication

11.4 Mutual TLS authentication

11.4.1 How TLS certificate authentication works

11.4.2 Client certificate authentication

11.4.3 Verifying client identity

11.4.4 Using a service mesh

11.4.5 Mutual TLS with OAuth2

11.4.6 Certificate-bound access tokens

11.5 Managing service credentials

11.5.1 Kubernetes secrets

11.5.2 Key and secret management services

11.5.3 Avoiding long-lived secrets on disk

11.5.4 Key derivation

11.6 Service API calls in response to user requests

11.6.1 The phantom token pattern

11.6.2 OAuth2 token exchange

11.7 Summary

Part 4: Securing Internet of Things APIs

12 Securing IoT communications

12.1 Transport layer security

12.1.1 Datagram TLS

12.1.2 Cipher suites for constrained devices

12.2 Pre-shared keys

12.2.1 Implementing a PSK server

12.2.2 The PSK client

12.2.3 Supporting raw PSK cipher suites

====12.2.4 PSK with forward secrecy === 12.3 End-to-end security ==== 12.3.1 COSE ==== 12.3.2 Alternatives to COSE ==== 12.3.3 Misuse-resistant authenticated encryption === 12.4 Key distribution and management ==== 12.4.1 One-off key provisioning ==== 12.4.2 Key distribution servers ==== 12.4.3 Ratcheting for forward secrecy ==== 12.4.4 Post-compromise security === 12.5 Summary

13 Securing IoT APIs

13.1 Authenticating devices

13.1.1 Identifying devices

13.1.2 Device certificates

13.1.3 Authenticating at the transport layer

13.2 End to end authentication

13.2.1 OSCORE

13.2.2 Avoiding replay in REST APIs

13.3 OAuth2 for constrained environments

13.3.1 The device authorization grant

13.3.2 ACE-OAuth

13.4 Offline access control

13.4.1 Offline user authentication

13.4.2 Offline authorization

13.5 Summary


Appendix A: Setting up Java and Maven

A.1 Java and Maven

A.1.1 Mac OS X

A.1.2 Windows

A.1.3 Linux

A.2 Installing Docker

A.3 Installing an Authorization Server

A.3.1 Installing ForgeRock Access Management

A.3.2 Installing an open source AS

A.4 Installing an LDAP directory server

A.4.1 ForgeRock Directory Services

A.4.2 Installing an open source LDAP directory server

Appendix B: Setting up Kubernetes

B.1 MacOS

B.1.1 VirtualBox

B.1.2 Minikube

B.2 Linux

B.2.1 VirtualBox

B.2.2 Minikube

B.3 Windows

B.3.1 VirtualBox

B.3.2 Minikube

What's inside

  • The main API security controls: authentication, authorization, audit logging, rate limiting, and encryption
  • Token-based authentication in web browsers and mobile clients
  • Cloud Key Management Services in a Kubernetes environment
  • Delegated authorization using OAuth 2.0

About the reader

For developers with intermediate Java knowledge and experience building RESTful APIs.

About the author

Neil Madden is Security Director at ForgeRock and has an in-depth knowledge of applied cryptography, application security, and current API security technologies. He has worked as a programmer for 20 years and holds a PhD in Computer Science.

placing your order...

Don't refresh or navigate away from the page.
Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.
print book $34.99 $69.99 pBook + eBook + liveBook
Additional shipping charges may apply
API Security in Action (print book) added to cart
continue shopping
go to cart

eBook $27.99 $55.99 3 formats + liveBook
API Security in Action (eBook) added to cart
continue shopping
go to cart

Prices displayed in rupees will be charged in USD when you check out.

FREE domestic shipping on three or more pBooks