You can’t protect what you can’t see
A few ways to secure APIs:
- Establish visibility so that the business knows what is exposed and how, to whom, through the API. An API management layer should have monitoring and analytics capabilities to detect threats in real-time.
- Authenticate both end-users and client applications. OAuth2 is the de facto standard.
- Validate all input so that it matches expected parameters—this protects your API against SQL injections, cross-site scripting & other common threats. It also acts as an early-warning system when scouts explore APIs for vulnerability.
- Secondary to ensuring your infrastructure can scale out to avoid a DDoS attack, rate limits within the API can check for attacks and avert minor traffic spikes.
- As a defense against bad bots, put the onus on the client to prove their identity - with reCAPTCHA, for example.
Full post here, 10 mins read