API Security in Action
- Length: 576 pages
- Edition: 1
- Language: English
- Publisher: Manning Publications
- Publication Date: 2020-12-08
- ISBN-10: 1617296023
- ISBN-13: 9781617296024
- Sales Rank: #1769654 (See Top 100 Books)
API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography.
Summary
A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.
Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.
About the technology
APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs—including microservices and cloud-native applications—demand a comprehensive, multi-layered approach to security for both private and public-facing APIs.
About the book
API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you’re done, you’ll be able to create APIs that stand up to complex threat models and hostile environments.
What’s inside
Authentication
Authorization
Audit logging
Rate limiting
Encryption
About the reader
For developers with experience building RESTful APIs. Examples are in Java.
About the author
Neil Madden has in-depth knowledge of applied cryptography, application security, and current API security technologies. He holds a Ph.D. in Computer Science.
API Security in Action Copyright contents front matter preface acknowledgments about this book Who should read this book How this book is organized: A roadmap About the code liveBook discussion forum Other online resources about the author about the cover illustration Part 1. Foundations 1 What is API security? 1.1 An analogy: Taking your driving test 1.2 What is an API? 1.2.1 API styles 1.3 API security in context 1.3.1 A typical API deployment 1.4 Elements of API security 1.4.1 Assets 1.4.2 Security goals 1.4.3 Environments and threat models 1.5 Security mechanisms 1.5.1 Encryption 1.5.2 Identification and authentication 1.5.3 Access control and authorization 1.5.4 Audit logging 1.5.5 Rate-limiting Answers to pop quiz questions Summary 2 Secure API development 2.1 The Natter API 2.1.1 Overview of the Natter API 2.1.2 Implementation overview 2.1.3 Setting up the project 2.1.4 Initializing the database 2.2 Developing the REST API 2.2.1 Creating a new space 2.3 Wiring up the REST endpoints 2.3.1 Trying it out 2.4 Injection attacks 2.4.1 Preventing injection attacks 2.4.2 Mitigating SQL injection with permissions 2.5 Input validation 2.6 Producing safe output 2.6.1 Exploiting XSS Attacks 2.6.2 Preventing XSS 2.6.3 Implementing the protections Answers to pop quiz questions Summary 3 Securing the Natter API 3.1 Addressing threats with security controls 3.2 Rate-limiting for availability 3.2.1 Rate-limiting with Guava 3.3 Authentication to prevent spoofing 3.3.1 HTTP Basic authentication 3.3.2 Secure password storage with Scrypt 3.3.3 Creating the password database 3.3.4 Registering users in the Natter API 3.3.5 Authenticating users 3.4 Using encryption to keep data private 3.4.1 Enabling HTTPS 3.4.2 Strict transport security 3.5 Audit logging for accountability 3.6 Access control 3.6.1 Enforcing authentication 3.6.2 Access control lists 3.6.3 Enforcing access control in Natter 3.6.4 Adding new members to a Natter space 3.6.5 Avoiding privilege escalation attacks Answers to pop quiz questions Summary Part 2. Token-based authentication 4 Session cookie authentication 4.1 Authentication in web browsers 4.1.1 Calling the Natter API from JavaScript 4.1.2 Intercepting form submission 4.1.3 Serving the HTML from the same origin 4.1.4 Drawbacks of HTTP authentication 4.2 Token-based authentication 4.2.1 A token store abstraction 4.2.2 Implementing token-based login 4.3 Session cookies 4.3.1 Avoiding session fixation attacks 4.3.2 Cookie security attributes 4.3.3 Validating session cookies 4.4 Preventing Cross-Site Request Forgery attacks 4.4.1 SameSite cookies 4.4.2 Hash-based double-submit cookies 4.4.3 Double-submit cookies for the Natter API 4.5 Building the Natter login UI 4.5.1 Calling the login API from JavaScript 4.6 Implementing logout Answers to pop quiz questions Summary 5 Modern token-based authentication 5.1 Allowing cross-domain requests with CORS 5.1.1 Preflight requests 5.1.2 CORS headers 5.1.3 Adding CORS headers to the Natter API 5.2 Tokens without cookies 5.2.1 Storing token state in a database 5.2.2 The Bearer authentication scheme 5.2.3 Deleting expired tokens 5.2.4 Storing tokens in Web Storage 5.2.5 Updating the CORS filter 5.2.6 XSS attacks on Web Storage 5.3 Hardening database token storage 5.3.1 Hashing database tokens 5.3.2 Authenticating tokens with HMAC 5.3.3 Protecting sensitive attributes Answers to pop quiz questions Summary 6 Self-contained tokens and JWTs 6.1 Storing token state on the client 6.1.1 Protecting JSON tokens with HMAC 6.2 JSON Web Tokens 6.2.1 The standard JWT claims 6.2.2 The JOSE header 6.2.3 Generating standard JWTs 6.2.4 Validating a signed JWT 6.3 Encrypting sensitive attributes 6.3.1 Authenticated encryption 6.3.2 Authenticated encryption with NaCl 6.3.3 Encrypted JWTs 6.3.4 Using a JWT library 6.4 Using types for secure API design 6.5 Handling token revocation 6.5.1 Implementing hybrid tokens Answers to pop quiz questions Summary Part 3. Authorization 7 OAuth2 and OpenID Connect 7.1 Scoped tokens 7.1.1 Adding scoped tokens to Natter 7.1.2 The difference between scopes and permissions 7.2 Introducing OAuth2 7.2.1 Types of clients 7.2.2 Authorization grants 7.2.3 Discovering OAuth2 endpoints 7.3 The Authorization Code grant 7.3.1 Redirect URIs for different types of clients 7.3.2 Hardening code exchange with PKCE 7.3.3 Refresh tokens 7.4 Validating an access token 7.4.1 Token introspection 7.4.2 Securing the HTTPS client configuration 7.4.3 Token revocation 7.4.4 JWT access tokens 7.4.5 Encrypted JWT access tokens 7.4.6 Letting the AS decrypt the tokens 7.5 Single sign-on 7.6 OpenID Connect 7.6.1 ID tokens 7.6.2 Hardening OIDC 7.6.3 Passing an ID token to an API Answers to pop quiz questions Summary 8 Identity-based access control 8.1 Users and groups 8.1.1 LDAP groups 8.2 Role-based access control 8.2.1 Mapping roles to permissions 8.2.2 Static roles 8.2.3 Determining user roles 8.2.4 Dynamic roles 8.3 Attribute-based access control 8.3.1 Combining decisions 8.3.2 Implementing ABAC decisions 8.3.3 Policy agents and API gateways 8.3.4 Distributed policy enforcement and XACML 8.3.5 Best practices for ABAC Answers to pop quiz questions Summary 9 Capability-based security and macaroons 9.1 Capability-based security 9.2 Capabilities and REST 9.2.1 Capabilities as URIs 9.2.2 Using capability URIs in the Natter API 9.2.3 HATEOAS 9.2.4 Capability URIs for browser-based clients 9.2.5 Combining capabilities with identity 9.2.6 Hardening capability URIs 9.3 Macaroons: Tokens with caveats 9.3.1 Contextual caveats 9.3.2 A macaroon token store 9.3.3 First-party caveats 9.3.4 Third-party caveats Answers to pop quiz questions Summary Part 4. Microservice APIs in Kubernetes 10 Microservice APIs in Kubernetes 10.1 Microservice APIs on Kubernetes 10.2 Deploying Natter on Kubernetes 10.2.1 Building H2 database as a Docker container 10.2.2 Deploying the database to Kubernetes 10.2.3 Building the Natter API as a Docker container 10.2.4 The link-preview microservice 10.2.5 Deploying the new microservice 10.2.6 Calling the link-preview microservice 10.2.7 Preventing SSRF attacks 10.2.8 DNS rebinding attacks 10.3 Securing microservice communications 10.3.1 Securing communications with TLS 10.3.2 Using a service mesh for TLS 10.3.3 Locking down network connections 10.4 Securing incoming requests Answers to pop quiz questions Summary 11 Securing service-to-service APIs 11.1 API keys and JWT bearer authentication 11.2 The OAuth2 client credentials grant 11.2.1 Service accounts 11.3 The JWT bearer grant for OAuth2 11.3.1 Client authentication 11.3.2 Generating the JWT 11.3.3 Service account authentication 11.4 Mutual TLS authentication 11.4.1 How TLS certificate authentication works 11.4.2 Client certificate authentication 11.4.3 Verifying client identity 11.4.4 Using a service mesh 11.4.5 Mutual TLS with OAuth2 11.4.6 Certificate-bound access tokens 11.5 Managing service credentials 11.5.1 Kubernetes secrets 11.5.2 Key and secret management services 11.5.3 Avoiding long-lived secrets on disk 11.5.4 Key derivation 11.6 Service API calls in response to user requests 11.6.1 The phantom token pattern 11.6.2 OAuth2 token exchange Answers to pop quiz questions Summary Part 5. APIs for the Internet of Things 12 Securing IoT communications 12.1 Transport layer security 12.1.1 Datagram TLS 12.1.2 Cipher suites for constrained devices 12.2 Pre-shared keys 12.2.1 Implementing a PSK server 12.2.2 The PSK client 12.2.3 Supporting raw PSK cipher suites 12.2.4 PSK with forward secrecy 12.3 End-to-end security 12.3.1 COSE 12.3.2 Alternatives to COSE 12.3.3 Misuse-resistant authenticated encryption 12.4 Key distribution and management 12.4.1 One-off key provisioning 12.4.2 Key distribution servers 12.4.3 Ratcheting for forward secrecy 12.4.4 Post-compromise security Answers to pop quiz questions Summary 13 Securing IoT APIs 13.1 Authenticating devices 13.1.1 Identifying devices 13.1.2 Device certificates 13.1.3 Authenticating at the transport layer 13.2 End-to-end authentication 13.2.1 OSCORE 13.2.2 Avoiding replay in REST APIs 13.3 OAuth2 for constrained environments 13.3.1 The device authorization grant 13.3.2 ACE-OAuth 13.4 Offline access control 13.4.1 Offline user authentication 13.4.2 Offline authorization Answers to pop quiz questions Summary appendix A. Setting up Java and Maven A.1 Java and Maven A.1.1 macOS A.1.2 Windows A.1.3 Linux A.2 Installing Docker A.3 Installing an Authorization Server A.3.1 Installing ForgeRock Access Management A.4 Installing an LDAP directory server A.4.1 ForgeRock Directory Services appendix B. Setting up Kubernetes B.1 MacOS B.1.1 VirtualBox B.1.2 Minikube B.2 Linux B.2.1 VirtualBox B.2.2 Minikube B.3 Windows B.3.1 VirtualBox B.3.2 Minikube index
How to download source code?
1. Go to: https://www.manning.com
2. Search the book title: API Security in Action
, sometime you may not get the results, please search the main title
3. Click the book title in the search results
3. resources
section, click Source Code
.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.