Three Simple Practices for API Security

Allen Tipper
May. 10 2011, 10:11AM EDT

We here at ProgrammableWeb see a lot of APIs. Many of them are pretty secure, and some sadly are not. So, what makes an API secure? Well, I'm glad you asked. There are a lot of things one can do to improve the security of an API. Below I'll outline three simple practices that make up a good start for a secure API.

  • Use HTTPS If Possible.
  • HTTPS, or Secure Socket Layer, allows for encrypted communication while using the HTTP protocol. When transmitting such things as usernames and passwords, HTTPS can improve security greatly by encrypting the transmission so someone with a packet sniffing tool can't see your usernames and passwords.

  • Don't Transmit Important Data In Plaintext
  • You'd think this would be obvious, but I saw an API that reminded me that this is in fact not done in every circumstance. If you must transmit a password, do it with some sort of hash function, and through HTTPS preferably. Otherwise, that username and password, which knowing most users they probably use on 20-odd sites or so, is now compromised. A smart cracker (most people would say "hacker", but it's a misuse of the term) would then try that user/pass combo on things like GMail and such, then using the info found there to access nearly everything a user has. So, please, PLEASE don't do this.

  • Sanitize Your Inputs
  • Most websites these days use either SQL or some sort of database for their sites, and usually for their APIs. A developer absolutely needs to sanitize their inputs so as to avoid SQL injection attacks. For those that don't know, SQL injection attacks are when a malicious user is able to execute arbitrary SQL commands on a server they shouldn't have access to, thereby becoming able to trash your entire database. Sanitizing inputs is basically scanning them and "escaping" anything suspicious, so the database doesn't read them as commands but just as text.

There are always more issues to be considered, but here are a few basics that might save you as long as you keep them in mind when making an API. We always appreciate a good API, but data security is more important than the neatest wizbang thing. Don't be the next Sony. Secure your API.

Allen Tipper Allen Tipper is a Computer Science generalist with a wide range of interests. After graduating in 2008, he's been programming for and specializing in mobile devices, as well as social media websites. As a programmer, APIs are rather important to him, as he finds using them in his software amazingly fun.

Comments

Comments(2)

User HTML

  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
me

How does a hash function help for man-in-the-middle attacks? If the attacker can listen in on your non-https connection, they can definitely acquire your "hashed" password, and use it later in replay attacks.

Allen, I'd like to echo your comment around API key security. More and more of our customers are telling us that an API key is a good starting point for security, but it (and SSL) are just that - starting points. Maybe it's because of the latest rash of cyber attacks, but what we're hearing from security-conscious companies are demands for things like signing and encryption services, as well as the ability to validate or exchange tokens (i.e., SAML). If this sounds like heavyweight security for lightweight REST APIs, you're correct, but much of it can be handled by an API Proxy, thereby insulating API developers.