Les Hazelwood, CTO at Stormpath, told Gluecon attendees today that he and his staff spent 18 months researching REST security best practices, implementing them in the Stormpath API, and figuring out what works. Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Its intuitive API and expert support make it easy for developers to authenticate, manage, and secure users and roles in any application.
In a rapid fire presentation, Les covered the various protocols and techniques for securing your REST API the right way. Among his highlighted points:
- Never use Basic Authentication, if possible
- Favor HMAC-SHA256 digest algorithms over bearer token
- Use Oauth 1.0a or Oath 2 (preferably MAC)
- “Only use a custom scheme if you really, really know what you’re doing”
- 401 “Unauthorized” really means unauthenticated
- “Oauth is an authorization protocol, NOT an authentication or SSP protocol,” Hazelwood said. But there are those that still try to use Oauth for authentication – for example, OpenID Connect.
- JSON Web Token (JWT) is “a very new spec, but clean and simple. We like it.”
Hazelwood then went on to discuss some recommended best practices. These practices are aimed at providers looking to take API security into their own hands.
- Use API keys, not passwords – for entropy, independence, speed, reduced exposure, traceability, rotation
- Authenticate every request
- Encrypt every request
- Avoid sessions (not RESTful)
- Redirects and forwards? Avoid them – if used, validate the value
Hazelwood also called out Transport Layer Security (TLS). “Use it for everything. But, once you elect it, never revert, and never switch back and forth.” For cookies, he said to set “secure” and “httpOnly” flags for secure cookies. “But beware, TLS isn’t foolproof,” he said. “Use app-level encryption and TLS for the most secure results.”
Some storage tips followed, including these: “Encrypt sensitive data at rest, and encrypt offsite backups.”
When asked by an audience member how widely these recommendations are followed, Hazelwood admitted, maybe not surprisingly, that “80 to 90% of APIs he sees don’t do half these things to secure themselves.” This observation points to the fact that many API providers are not strictly adhering to best practices when left to their own devices.
To that end, Hazelwood told the audience that on Thursday, Stormpath is “releasing a feature set that will provide all this out of the box.” So, thankfully, you don’t have to do it all yourself if you don’t want to. Here’s where you’ll likely find that announcement when it’s posted on the company’s web site: https://stormpath.com/press.