We here at ProgrammableWeb see a lot of APIs. Many of them are pretty secure, and some sadly are not. So, what makes an API secure? Well, I'm glad you asked. There are a lot of things one can do to improve the security of an API. Below I'll outline three simple practices that make up a good start for a secure API.
- Use HTTPS If Possible.
- Don't Transmit Important Data In Plaintext
- Sanitize Your Inputs
HTTPS, or Secure Socket Layer, allows for encrypted communication while using the HTTP protocol. When transmitting such things as usernames and passwords, HTTPS can improve security greatly by encrypting the transmission so someone with a packet sniffing tool can't see your usernames and passwords.
You'd think this would be obvious, but I saw an API that reminded me that this is in fact not done in every circumstance. If you must transmit a password, do it with some sort of hash function, and through HTTPS preferably. Otherwise, that username and password, which knowing most users they probably use on 20-odd sites or so, is now compromised. A smart cracker (most people would say "hacker", but it's a misuse of the term) would then try that user/pass combo on things like GMail and such, then using the info found there to access nearly everything a user has. So, please, PLEASE don't do this.
Most websites these days use either SQL or some sort of database for their sites, and usually for their APIs. A developer absolutely needs to sanitize their inputs so as to avoid SQL injection attacks. For those that don't know, SQL injection attacks are when a malicious user is able to execute arbitrary SQL commands on a server they shouldn't have access to, thereby becoming able to trash your entire database. Sanitizing inputs is basically scanning them and "escaping" anything suspicious, so the database doesn't read them as commands but just as text.
There are always more issues to be considered, but here are a few basics that might save you as long as you keep them in mind when making an API. We always appreciate a good API, but data security is more important than the neatest wizbang thing. Don't be the next Sony. Secure your API.