API Security in Action
Neil Madden
  • MEAP began June 2019
  • Publication in Summer 2020 (estimated)
  • ISBN 9781617296024
  • 400 pages (estimated)
  • printed in black & white

A great read for someone who wants practical knowledge on how to protect their APIs.

Stuart Perks
A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.
Table of Contents detailed table of contents

Part 1: Foundations

1 What is API security?

1.1 Taking your driving test

1.2 What is an API?

1.3 API security in context

1.3.1 A typical API deployment

1.4 Elements of API security

1.4.1 Assets

1.4.2 Security goals

1.4.3 Environments and threat models

1.5 Security mechanisms

1.5.1 Identification and authentication

1.5.2 Access control and authorization

1.5.3 Audit logging

1.5.4 Rate-limiting

1.6 Summary

2 Secure API development

2.1 The Natter API

2.1.1 Overview of the Natter API

2.1.2 Implementation overview

2.1.3 Setting up the project

2.1.4 Initializing the database

2.2 Developing the REST API

2.2.1 Creating a new space

2.3 Wiring up the REST endpoints

2.3.1 Trying it out

2.4 Injection attacks

2.4.1 Preventing injection attacks

2.4.2 Mitigating SQL injection with permissions

2.5 Input validation

2.6 Producing safe output

2.6.1 Exploiting XSS Attacks

2.6.2 Preventing XSS

2.6.3 Implementing the protections

2.7 What hasn’t been covered

2.8 Summary

3 Securing the Natter API

3.1 Addressing threats with security controls

3.2 Rate-limiting for availability

3.2.1 Rate-limiting with Guava

3.3 Authentication to prevent spoofing

3.3.1 HTTP Basic authentication

3.3.2 Secure password storage with Scrypt

3.3.3 Registering users in the Natter API

3.3.4 Authenticating users in Natter

3.4 Using encryption to keep data private

3.4.1 Enabling HTTPS

3.4.2 Strict transport security

3.5 Audit logging for accountability

3.6 Access control

3.6.1 Enforcing authentication

3.6.2 Access control lists

3.6.3 Enforcing access control in Natter

3.6.4 Adding new members to a Natter space

3.6.5 Avoiding privilege escalation attacks

3.7 Summary

Part 2: Securing REST APIs

4 Session cookie authentication

4.1 Authentication in web browsers

4.1.1 Calling the Natter API from JavaScript

4.1.2 Intercepting form submission

4.1.3 Serving the HTML from the same origin

4.1.4 Drawbacks of HTTP authentication

4.2 Token-based authentication

4.2.1 A token store abstraction

4.2.2 Implementing token-based login

4.3 Session cookies

4.3.1 Avoiding session fixation attacks

4.3.2 Cookie security attributes

4.3.3 Validating session cookies

4.4 Preventing cross-site request forgery attacks

4.4.1 SameSite cookies

4.4.2 Hash-based double-submit cookies

4.4.3 Double-submit cookies for the Natter API

4.5 Building the Natter login UI

4.5.1 Calling the login API from JavaScript

4.6 Implementing logout

4.7 Summary

5 Modern token-based authentication

5.1 Allowing cross-domain requests with CORS

5.1.1 Preflight requests

5.1.2 CORS headers

5.1.3 Adding CORS headers to the Natter API

5.2 Tokens without cookies

5.2.1 Storing token state in a database

5.2.2 The Bearer authentication scheme

5.2.3 Deleting expired tokens

5.2.4 Storing tokens in Web Storage

5.2.5 Updating the CORS filter

5.2.6 XSS attacks on Web Storage

5.3 Hardening database token storage

5.3.1 Authenticating tokens with HMAC

5.3.2 Protecting sensitive attributes

5.4 Summary

6 OAuth 2.0 and OpenID Connect

7 Identity-based access control

8 Capability security and Macaroons

Part 3: Securing Microservice APIs in Kubernetes

9 Service accounts

10 OAuth 2 for microservices

11 User authorization in Kubernetes

Part 4: Securing Internet of Things APIs

12 Protecting communications in the IoT

13 Authenticating Things

14 OAuth 2.0 in constrained environments

Appendixes

Appendix A: A Setting up Java and Maven

A.1 Mac OS X

A.1.1 Installing Java 11

A.1.2 Installing Maven

A.2 Windows

A.3 Linux</text>

About the Technology

Web APIs are the foundation of interconnected IT architecture. With applications now dependent on third-party apps and services for essential tasks, the threats are increasingly complex and the need to secure them is more critical than ever. RESTful web services, microservices, the Internet of Things, and cloud-hosted applications all bring unique security challenges that demand new approaches to API security.

About the book

API Security in Action shows you how to create secure web APIs that you can confidently share with your business partners and expose for public usage. Security expert Neil Madden takes you under the hood of modern API security concepts, including token-based authentication for flexible multi-user security, bootstrapping a secure environment in a Kubernetes microservices architecture, and using lightweight cryptography to secure an IoT device. Chapter-by-chapter, you’ll build new layers of security onto a basic social network API, mastering techniques to protect against increasingly complex threat models and hostile environments. When you’re done, you’ll have the practical skills to design and implement APIs that are safe from most common attacks and are ready for the threats of tomorrow.

What's inside

  • The main API security controls: authentication, authorization, audit logging, rate limiting, and encryption
  • Token-based authentication in web browsers and mobile clients
  • Cloud Key Management Services in a Kubernetes environment
  • Delegated authorization using OAuth 2.0

About the reader

For developers with intermediate Java knowledge and experience building RESTful APIs.

About the author

Neil Madden is Security Director at ForgeRock and has an in-depth knowledge of applied cryptography, application security, and current API security technologies. He has worked as a programmer for 20 years and holds a PhD in Computer Science.
Manning Early Access Program badge
Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.

5 of 14 chapters available

35% Complete
MEAP combo $59.99 pBook + eBook + liveBook
MEAP eBook $47.99 pdf + ePub + kindle + liveBook
Prices displayed in rupees will be charged in USD when you check out.

placing your order...

Don't refresh or navigate away from the page.
customers also bought
Object Design Style Guide
Matthias Noback
Istio in Action
Christian E. Posta
Unit Testing
Principles, Practices, and Patterns
Vladimir Khorikov
The Design of Web APIs
Arnaud Lauret
Foreword by Kin Lane
Parallel and High Performance Computing
Robert Robey and Yuliana Zamora
Algorithms and Data Structures in Action
Marcello La Rocca
API Design Patterns
JJ Geewax
Microservices Security in Action
Prabath Siriwardena and Nuwan Dias
Real-World Cryptography
David Wong
Secure by Design
Dan Bergh Johnsson, Daniel Deogun, Daniel Sawano
Foreword by Daniel Terhorst-North
Seriously Good Software
Code that works, survives, and wins
Marco Faella
Designing APIs with Swagger and OpenAPI
Joshua S. Ponelat

FREE domestic shipping on three or more pBooks