securing your api
Post on 17-Oct-2014
11.699 views
DESCRIPTION
Providing an Application Programming Interface (or API) has become a crucial piece of the modern web application. API’s provide opportunities to build the ecosystem around your application, opening doors for collaboration and innovative mashups. However, the API opens up another entry point into your application, requiring that you somehow secure the access to it.This talk will outline some of the options you have when securing your API. I’ll give overviews and implementation tips on some of the more popular schemes such as OAuth, HTTP authentication, and generating API keys. We’ll also look at some general API best practices such as rate limiting, error handling, and secure data communication.TRANSCRIPT
![Page 2: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/2.jpg)
• API overview
• API methodologies
• Security methodologies
• Best practices
A Quick Rundown
Thursday, May 26, 2011
![Page 3: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/3.jpg)
API vs. Web Service
• API = Application Programming Interface
• Web Service = API that operates over HTTP
• In this presentation, API == Web Service
Thursday, May 26, 2011
![Page 4: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/4.jpg)
Why Create An API
• Extend your product reach
• Encourage mashups
• Expose your data programmatically
• Connect with developers
Thursday, May 26, 2011
![Page 5: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/5.jpg)
API Success Stories
• Foursquare
Thursday, May 26, 2011
![Page 6: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/6.jpg)
Popular Methodologies
• REST
• XML-RPC
• SOAP
Thursday, May 26, 2011
![Page 7: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/7.jpg)
REST Service
• Representational State Transfer
• Architecture, not a standard
• HTTP-based
Thursday, May 26, 2011
![Page 8: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/8.jpg)
• Client-Server
• Self-contained Requests (Stateless)
• Cacheable
• Named, Layered Resourceshttp://brewerydb.com/api/breweries/2324http://brewerydb.com/api/beers/435
RESTful
Thursday, May 26, 2011
![Page 9: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/9.jpg)
REST over HTTP
• GET - Read-only, for retrieving information
• POST - Creating a new resource
• PUT - Updating an existing resource
• DELETE - Deleting an existing resource
Thursday, May 26, 2011
![Page 10: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/10.jpg)
REST Security
• None built in
• Encryption over HTTPS
• Left to the implementer
• Error handling left to implementer
Thursday, May 26, 2011
![Page 11: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/11.jpg)
SOAP Service
• Simple Object Access Protocol
• XML-based
• Uses GET for read, POST for write
• W3C Specification for sending and receiving messages
Thursday, May 26, 2011
![Page 12: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/12.jpg)
SOAP Security
• Nothing provided in spec
• WS-Security
• Extension to SOAP spec
• Provided as a guide for securing SOAP services
Thursday, May 26, 2011
![Page 13: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/13.jpg)
WS-Security
• Guidelines for solving 3 problems
• Identify and authenticate a client
• Ensure integrity of the message
• Curtail eavesdropping while in transit
• Defines mechanisms as opposed to actual protocols
• http://www.oasis-open.org/committees/wss/
Thursday, May 26, 2011
![Page 14: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/14.jpg)
XML-RPC Service
• XML Remote Procedure Call
• XML-based
• Uses HTTP-POST
• Spec published by UserLand Software in ~1998
Thursday, May 26, 2011
![Page 15: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/15.jpg)
• Uses XML to specify a method and parameters
• Simple data structures, no objects
• Arrays and Structs most complex
XML-RPC
Thursday, May 26, 2011
![Page 16: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/16.jpg)
XML-RPC Security
• None in the spec
• Encryption over HTTPS
• Security left to the implementer
• Error handling - <fault> base response element
Thursday, May 26, 2011
![Page 17: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/17.jpg)
Security Mechanisms
• OAuth
• BasicAuth
• API Keys
Thursday, May 26, 2011
![Page 18: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/18.jpg)
OAuth 1.0
Think of it as a valet key for your internet accounts...
Open standard for API access delegation
RFC 5849 - The OAuth 1.0 Protocol
Published April 2010
Thursday, May 26, 2011
![Page 19: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/19.jpg)
OAuth 1.0 Players
• Service Provider (Server)- Has the information you want
• Consumer (Client) - Wants the information from the Service Provider
• User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider
Thursday, May 26, 2011
![Page 20: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/20.jpg)
Thursday, May 26, 2011
![Page 21: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/21.jpg)
Benefits of OAuth 1.0
• Applications don’t need a user’s password
• Power in the hands of the user
• Secure handshake
• Doesn’t require SSL
• Many libraries available
Thursday, May 26, 2011
![Page 22: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/22.jpg)
OAuth 1.0 Pitfalls
• Signatures based on complex cryptography
• Server-side implementation is complex
Thursday, May 26, 2011
![Page 23: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/23.jpg)
• Consumer Registration and Management
• User pass-through, grant access
• Consumer access management by User
• Token storage and generation
• 2-legged vs. 3-legged
OAuth - Roll Your Own
Thursday, May 26, 2011
![Page 24: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/24.jpg)
• Removes signature requirement except on token acquisition
• Requires SSL
• Single security token, no signature required
• Guidelines for use with Javascript and applications with no web browser
OAuth 2.0 - Coming Soon
Thursday, May 26, 2011
![Page 25: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/25.jpg)
More Info on OAuth
• OAuth Spechttp://oauth.net/
• OAuth 2.0 Informationhttp://oauth.net/2/
• Lorna’s OAuth Blog Serieshttp://www.lornajane.net/
Thursday, May 26, 2011
![Page 26: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/26.jpg)
BasicAuth
• Passes a username and password with the request
• Defined by the HTTP specification
Thursday, May 26, 2011
![Page 27: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/27.jpg)
BasicAuth Do’s
• SSL is a must
• Username / Password is transmitted in cleartext
• Base64 encoded, but not encrypted
• Basic > Digest
• Basic assumes authentication is required
• Digest requires extra transfer for nonce
Thursday, May 26, 2011
![Page 28: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/28.jpg)
BasicAuth Pros
• Client requests are easy
• Part of nearly every HTTP request library
• Server setup is easy
• Use existing BasicAuth credentials
Thursday, May 26, 2011
![Page 29: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/29.jpg)
BasicAuth Cons
• Requires a username and password for a user
• Credentials are not, by default, encrypted
• Requires username and password to be embedded in client code
Thursday, May 26, 2011
![Page 30: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/30.jpg)
Access Keys
• Not based on any standard
• Implementation requirements are up to the service provider
• Keys -> signatures
Thursday, May 26, 2011
![Page 31: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/31.jpg)
Access Key Basics
• Part of URLhttp://pintlabs.com/api?key=23sdbk32
• Sign request with key instead of passing it in URL
• Use params + shared secret as signature
Thursday, May 26, 2011
![Page 32: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/32.jpg)
Signed Request Workflow
?key=val
vje48hvn4
sign ?key=val&signature=23kcwej323Client
?key=val vje48hvn4sign
?key=val&signature=23kcwej323
23kcwej323 23kcwej323==
Server
Thursday, May 26, 2011
![Page 33: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/33.jpg)
Access Keys Pros
• Easy to generate keys and distribute them
• Typically removes the need to transfer username and password in raw form
• Signed requests prevents altering parameters
Thursday, May 26, 2011
![Page 34: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/34.jpg)
Access Keys Cons
• Unsigned
• Must embed them in code
• SSL is not required, so will (by default) transfer in plaintext
• Signed
• Encryption is scary....ish
Thursday, May 26, 2011
![Page 35: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/35.jpg)
• Use signed requests over unsigned
• One key per application per developer
• Require username in headers
Best Practices for Keys
Thursday, May 26, 2011
![Page 36: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/36.jpg)
• Rate Limiting
• Access Control
• Error Handling
• SSL Layer
• API Domain“Stupid is as Stupid Does” - Gump
General Best Practices
Thursday, May 26, 2011
![Page 37: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/37.jpg)
Rate-Limiting
• Keeps API access in check
• Authenticated and Unauthenticated calls should be subject to rate limiting
• Best practice
• Have a standard, application wide rate limit
• Allow that limit to be overridden on a per user, per application basis
Thursday, May 26, 2011
![Page 38: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/38.jpg)
• Authenticated
• Have a standard, application wide rate limit
• Allow that limit to be overridden on a per user, per application basis
• Unauthenticated
• Based on domain or IP address
• Allow limit to be overridden as well
Rate-Limiting Best Practices
Thursday, May 26, 2011
![Page 39: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/39.jpg)
Access Control
• Treat API endpoints just as service endpoints in your application
• Have a standard API access site wide
• Allow override on a per-user, per-application basis.
• Allows you to roll out features to a select group or user
Thursday, May 26, 2011
![Page 40: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/40.jpg)
Error Handling
• Set appropriate HTTP headers
• Provide viable, valid error messages
• Log errors for the API too
• Have a standard error response object for all methods, including authentication
Thursday, May 26, 2011
![Page 41: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/41.jpg)
SSL Layer
• Encrypts all traffic to and from your API
• Can cause performance hit
• ~10-15% in trials
• Depending on protocol, should be a requirement
Thursday, May 26, 2011
![Page 42: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/42.jpg)
API Domain
• Use sub-domain
• Can move to separate webserver
• Handle traffic requirements
Thursday, May 26, 2011
![Page 43: Securing Your API](https://reader034.vdocuments.mx/reader034/viewer/2022051512/5441a83bb1af9ff74b8b47c3/html5/thumbnails/43.jpg)
Questions?Jason Austin - @jason_austin - [email protected]
http://joind.in/3427
Thursday, May 26, 2011