API Security in Action
FREEYou can see any available part of this book for free.
Click the table of contents to start reading.
A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.
A great read for someone who wants practical knowledge on how to protect their APIs.
Table of Contents takes you straight to the bookdetailed table of contents
Part 1: Foundations
1 What is API security?
1.1 Taking your driving test
1.2 What is an API?
1.3 API security in context
1.3.1 A typical API deployment
1.4 Elements of API security
1.4.2 Security goals
1.4.3 Environments and threat models
1.5 Security mechanisms
1.5.1 Identification and authentication
1.5.2 Access control and authorization
1.5.3 Audit logging
2 Secure API development
2.1 The Natter API
2.1.1 Overview of the Natter API
2.1.2 Implementation overview
2.1.3 Setting up the project
2.1.4 Initializing the database
2.2 Developing the REST API
2.2.1 Creating a new space
2.3 Wiring up the REST endpoints
2.3.1 Trying it out
2.3.2 Injection attacks
2.3.3 Preventing injection attacks
2.3.4 Mitigating SQL injection with permissions
2.3.5 Using a higher-level database library
2.4 Input validation
2.5 Producing safe output
2.5.1 Exploiting XSS Attacks
2.5.2 Preventing XSS
2.5.3 Implementing the protections
2.6 What hasn’t been covered
3 Securing the Natter API
3.1 Threats against an API
3.2 Addressing threats with security controls
3.3 Rate-limiting for availability
3.3.1 Rate-limiting with Guava
3.4 Authentication to prevent spoofing
3.4.1 HTTP Basic authentication
3.4.2 Secure password storage with Scrypt
3.4.3 Registering users in the Natter API
3.4.4 Authenticating users in Natter
3.5 Using encryption to keep data private
3.6 Audit logging for accountability
3.7 Access control
3.7.1 Enforcing authentication
3.7.2 Access control lists
3.7.3 Enforcing access control in Natter
3.7.4 Adding new members to a Natter space
3.7.5 Avoiding privilege escalation attacks
Part 2: Securing REST APIs
4 Session cookie authentication
5 Modern token-based authentication
6 OAuth 2.0 and OpenID Connect
7 Identity-based access control
8 Capability security and Macaroons
Part 3: Securing Microservice APIs in Kubernetes
9 Service accounts
10 OAuth 2 for microservices
11 User authorization in Kubernetes
Part 4: Securing Internet of Things APIs
12 Protecting communications in the IoT
13 Authenticating Things
14 OAuth 2.0 in constrained environments
Appendix A: Setting up Java and Maven
A.1 Mac OS X
A.1.1 Installing Java 11
A.1.2 Installing Maven
About the TechnologyWeb APIs are the foundation of interconnected IT architecture. With applications now dependent on third-party apps and services for essential tasks, the threats are increasingly complex and the need to secure them is more critical than ever. RESTful web services, microservices, the Internet of Things, and cloud-hosted applications all bring unique security challenges that demand new approaches to API security.
About the bookAPI Security in Action shows you how to create secure web APIs that you can confidently share with your business partners and expose for public usage. Security expert Neil Madden takes you under the hood of modern API security concepts, including token-based authentication for flexible multi-user security, bootstrapping a secure environment in a Kubernetes microservices architecture, and using lightweight cryptography to secure an IoT device. Chapter-by-chapter, you’ll build new layers of security onto a basic social network API, mastering techniques to protect against increasingly complex threat models and hostile environments. When you’re done, you’ll have the practical skills to design and implement APIs that are safe from most common attacks and are ready for the threats of tomorrow.
- The main API security controls: authentication, authorization, audit logging, rate limiting, and encryption
- Token-based authentication in web browsers and mobile clients
- Cloud Key Management Services in a Kubernetes environment
- Delegated authorization using OAuth 2.0
About the readerFor developers with intermediate Java knowledge and experience building RESTful APIs.
Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.
placing your order...Don't refresh or navigate away from the page.
customers also bought