Use standard authentication mechanisms like JWT instead of rolling your own. Implement access control using OAuth and validate authorization for all API requests and endpoints. Validate, sanitize, and encrypt user input and sensitive data. Monitor APIs, services, and infrastructure using logging, monitoring, and alerting tools to detect issues and security vulnerabilities.
Use standard authentication mechanisms like JWT instead of rolling your own. Implement access control using OAuth and validate authorization for all API requests and endpoints. Validate, sanitize, and encrypt user input and sensitive data. Monitor APIs, services, and infrastructure using logging, monitoring, and alerting tools to detect issues and security vulnerabilities.
Use standard authentication mechanisms like JWT instead of rolling your own. Implement access control using OAuth and validate authorization for all API requests and endpoints. Validate, sanitize, and encrypt user input and sensitive data. Monitor APIs, services, and infrastructure using logging, monitoring, and alerting tools to detect issues and security vulnerabilities.
Use standard authentication mechanisms like JWT instead of rolling your own. Implement access control using OAuth and validate authorization for all API requests and endpoints. Validate, sanitize, and encrypt user input and sensitive data. Monitor APIs, services, and infrastructure using logging, monitoring, and alerting tools to detect issues and security vulnerabilities.
Avoid ‘Basic Authentication’, use standard (e.g. JWT) Use good `JWT Secret` to make brute force attacks di!cult
Do not reinvent the wheel in authentication mechanisms. Do not extract the algorithm from the header, use backend
Use `Max Retry’ and jail features in Login. Make token expiration (TTL, RTTL) as short as possible
Use encryption on all sensitive data. Avoid storing sensitive data in JWT payload
Keep the payload small to reduce the size of the JWT token
Access Control OAuth
Always validate `redirect_uri’ on server-side
Limit requests (throttling) to avoid DDoS / Brute Force Avoid `response_type=token’ and try to exchange for code Use HTTPS on server side and secure ciphers Use `state’ parameter to prevent CSRF attacks Use HSTS header with SSL to avoid SSL Strip attacks. Have default scope, and validate scope for each application Turn o" directory listings
Private APIs to be only accessible from safe listed IPs
Processing
Input Check if all the endpoints are protected behind authentication
to avoid broken authentication process User proper HTTP methods for the operation Avoid user’s personal ID in the resource URLs e.g. users/242/orders
Validate `content-type` on request header Prefer using UUID over auto-increment IDs Validate user input to avoid common vulnerabilities Disable entity parsing if you are parsing XML to avoid XXE attacks Use standard Authorization header for sensitive data Disable entity expansion if using XML, YML or any other language Use only server-side encryption Use CDN for file uploads Use an API Gateway for caching, Rate Limit policies etc Avoid HTTP blocking if you are using huge amount of data
Audit your design and implementation with unit/integration tests. Remove fingerprinting headers (i.e. x-powered-by etc) Use a code review process and disregard self-approval. Force `content-type` for your response. Continuously run security analysis on your code. Avoid returning sensitive data (credentials, sec. tokens etc) Check your dependencies for known vulnerabilities. Return proper response codes as per the operation Design a rollback solution for deployments.
Monitoring
More Resources Use centralized logins for all services and components.
Use agents to monitor all requests, responses and errors.
Recommended Resources Use alerts for SMS, Slack, Email, Kibana, Cloudwatch, etc.
Ensure that you aren't logging any sensitive data.
Use an IDS and/or IPS system to monitor everything.
