API Security Top 5 Tips


Here are 5 simple tips to improve your API security.

1) Authentication

Setup API authentication (user/pass/token) for every API even for those automated APIs. Using a framework with inbuilt authentication can simplify this process.

2) Authorisation

Setup API authorisation (user is meant to have access to data) for every API. This is typically know as roles or access. Simple way to test is use an account that shouldn’t have access to an API or data within that API, then check if it does not have access.

3) Rate Limiting

Apply rate limiting for all APIs so they can’t be overused without being blocked. Further details about rate limiting: https://www.vtxsecurity.com.au/2018/04/06/rate-limiting-architecture-implementation-php/

4) Logging and Monitoring

Setup logging and monitoring so there is a least one record for the use of an API. This is useful in analysis as well as identifying inappropriate use and cyber attacks. If using a gateway or reverse-proxy to the API this could be a simple starting point for setting up logging, so that each user access to each API is recorded in a log. The monitoring (viewing the logs) is also important for identifying issues and improvement opportunities.

5) Security Test

Perform regular security testing of the API using vulnerability checking tools such as https://xpry.com