Security measures implemented in RESTful API Development

ARAVINDA A KUMAR * and Divya TL

Department of Master of Computer Applications, RVCE.

Open Access Research Journal of Engineering and Technology, 2024, 07(01), 105–112

Publication history: Received on 15 July 2024; revised on 04 September 2024; accepted on 06 September 2024

Article DOI: https://doi.org/10.53022/oarjet.2024.7.1.0042

Abstract
Protecting Application Programming Interfaces (APIs) is crucial for securing sensitive data and ensuring the stability of
web applications. This paper examines the effectiveness of key security practices, focusing on token-based
authentication and password hashing techniques. It highlights the use of JSON Web Tokens (JWT) for authentication,
detailing how JWTs enhance data security by incorporating claims and expiration details to mitigate unauthorized
access risks. The paper also covers the application of `bcrypt` for password hashing through the `passlib` library,
demonstrating its role in safeguarding user passwords from potential threats. In addition, the research addresses other
vital security practices such as managing token storage securely, utilizing OAuth2 for credential exchange, and handling
errors with HTTP exceptions. The study further underscores the importance of secure configuration practices, including
the management of secret keys and token expiration for session management. Recommendations are also provided for
improving API security, including rate limiting, input validation, HTTPS encryption, and CORS policy settings. This
analysis aims to offer a comprehensive overview of effective API security measures and their implementation in
contemporary web development.

The security measures in place include Token-Based Authentication using JSON Web Tokens (JWT) to ensure secure
data exchange through tokens, which incorporate claims and expiration dates to minimize unauthorized access.
Passwords are protected via `bcrypt` hashing, facilitated by the passlib library, safeguarding user credentials in the
event of a security breach. Token management practices emphasize secure storage methods to prevent unauthorized
access and misuse. Credential exchange is managed through the OAuth2 Password Flow, adhering to the OAuth2
framework for safe credential handling and access token provision. Error handling is addressed through HTTP
exceptions to effectively manage authentication-related issues and uphold error reporting integrity. Additionally,
configuration and session management involve stringent key management practices to secure secret keys used for token
signing and the establishment of token expiration times to limit their validity period, thus enhancing overall session
security.

Keywords: Token-Based Authentication; JSON Web Tokens (JWT); Password Hashing; Bcrypt; OAuth; Secure Token
Management

1 Introduction
In today’s interconnected world, the protection of Application Programming Interfaces (APIs) is crucial for safeguarding
sensitive information and ensuring the dependable operation of web applications. APIs act as critical conduits to
valuable data and functionalities, making their security a top priority. This paper explores essential security strategies
for APIs, with a particular emphasis on token-based authentication and password hashing techniques.

Token-based authentication, utilizing JSON Web Tokens (JWT), is central to securing API interactions by incorporating
claims and setting expiration parameters within the tokens to prevent unauthorized access. Simultaneously, the security
of user passwords is enhanced through hashing methods like `bcrypt`, which is implemented using the `passlib` library,
thereby protecting credentials from potential security threats.

Corresponding author: ARAVINDA A KUMAR
Copyright © 2024 Author(s) retain the copyright of this article. This article is published under the terms of the Creative Commons Attribution Liscense 4.0.
 Open Access Research Journal of Engineering and Technology, 2024, 07(01), 105–112

In addition to these fundamental techniques, the paper investigates other significant security measures such as the
secure handling of tokens, the use of OAuth2 for secure credential exchanges, and the application of HTTP exceptions
for managing authentication errors. The importance of secure configuration practices, including the protection of secret
keys and managing token expiration for session control, is also emphasized.

The study further recommends additional security enhancements, such as rate limiting to manage request volumes,
input validation to prevent injection attacks, HTTPS for encrypted data transmission, and CORS policy configurations to
regulate cross-origin access. This comprehensive analysis aims to provide an in-depth understanding of effective API
security measures and their practical implementation in contemporary web development.

2 Related work

2.1 Research Towards Key Issues of API Security (Hoang et al., 2020):
This research proposes a novel approach to API security audits. Their system leverages traffic analysis to not only
discover APIs, but also hidden ones that might be overlooked. By analyzing this traffic, the system can then assess
potential vulnerabilities within those APIs, providing a more comprehensive security evaluation.

2.2 The Challenges of Security Testing for Restful APIs (Gupta & Jain, 2017):
This paper highlights the specific challenges associated with securing RESTful APIs. The authors argue that traditional
security methods might not be sufficient for these modern APIs. They emphasize the need for specialized testing
techniques that take into account the unique characteristics of RESTful APIs to effectively identify and address security
vulnerabilities.

2.3 API Security Testing: A Survey on Existing Techniques (Yoo et al., 2017):
This research offers a valuable resource for developers by providing a comprehensive survey of existing techniques
used for API security testing. It explores various approaches currently employed to test and ensure the security of APIs.
This survey can be a helpful starting point for developers seeking to implement robust security measures for their
RESTful APIs.

2.4 RESTler: Stateful REST API Fuzzing (Azad et al., 2020):

This paper introduces a tool called RESTler specifically designed to test the security of stateful REST APIs. Fuzzing is a
technique that involves sending unexpected or invalid data to an API to identify potential vulnerabilities. RESTler
leverages this fuzzing approach to test stateful REST APIs, which can be particularly complex due to their ability to
maintain state information across multiple requests.

2.5 API Security: Threat Landscape and Solutions (Gupta & Jain, 2018):
This research offers a practical guide by outlining the common security threats faced by APIs. The authors discuss
various vulnerabilities that can compromise API security. Additionally, they explore potential solutions and mitigation
strategies that developers can implement to defend against these threats and enhance the overall security posture of
their APIs.

3 System framework
In modern web applications, the Client Application represents the end-user interface, whether it’s a web-based or
mobile application. This component interacts with the API, sending requests to access various services and resources
provided by the backend system. It serves as the initial point of contact for users, allowing them to perform operations
and retrieve data through the API.

The API Gateway acts as a critical intermediary that manages incoming requests from the Client Application. Its primary
responsibilities include routing requests to the appropriate backend services and performing initial security checks to
ensure that requests are valid. This layer is essential for directing traffic efficiently and implementing basic security
measures, such as rate limiting and request filtering, if applicable.

To handle user authentication, the Authentication Service is employed. This service is responsible for generating and
validating JSON Web Tokens (JWTs), which are used to authenticate users and establish secure sessions. By issuing

106
 Open Access Research Journal of Engineering and Technology, 2024, 07(01), 105–112

JWTs upon successful login, this service ensures that users can access protected resources while maintaining security
through token-based authentication.

Figure 1 Architecture diagram of security measures implemented

● Client Application sends requests to the API Gateway.

● API Gateway forwards requests to the Authentication Service.
● Authentication Service generates JWTs, which are then validated by the Authorization Service.
● Token Management oversees token validity and storage.
● Password Hashing Service ensures passwords are hashed securely and verified.
● The API Server processes requests, interacts with the Database, and handles business logic.
● Configuration Management is responsible for managing settings such as secret keys and token expiration.

Once a JWT is issued, the Authorization Service comes into play to verify the token and ensure that the user has the
necessary permissions to access specific resources or perform certain actions. This service checks the validity of the
JWT and enforces access control policies, ensuring that only authorized users can access sensitive data or functionalities.

The Token Management system is crucial for handling the lifecycle of access tokens and refresh tokens. It is
responsible for storing these tokens securely, managing their expiration, and ensuring their validity. Meanwhile, the
Password Hashing Service uses `bcrypt` via the `passlib` library to securely hash passwords during user registration
and verify them during login attempts, thereby safeguarding user credentials. The API Server hosts the application’s
core business logic and API endpoints, processing requests from the Client Application, interacting with the Database
to retrieve or update information, and providing the necessary responses. Lastly, Configuration Management oversees
the application's settings, such as secret keys and token expiration parameters, ensuring that the system operates
securely and efficiently. This comprehensive architecture supports a robust and secure API system for modern web
applications.

4 Results
FastAPI leverages REST (Representational State Transfer) principles, which dictate how web services communicate.
This backend handles functionalities crucial for a social media platform, including user management, post management,
voting mechanics, and login authentication.

User management likely allows functionalities like creating accounts, retrieving user data, updating profiles (potentially
including deletion). Post management could involve creating, retrieving (all or specific posts), updating, and deleting
posts. Voting functionalities might involve upvoting/downvoting posts through specific API endpoints. Login
authentication ensures secure user access, potentially using username/password or tokens for verification.

107
 Open Access Research Journal of Engineering and Technology, 2024, 07(01), 105–112

Figure 2 Fast API documentation

Figure 3 A simple API response

Figure 4 Schema of the RESTful API

While the exact functionalities depend on the specific code and implementation, this gives a general idea of how a
FastAPI backend might power the core features of a social media app.

4.1 User Management

● The section "Users" likely deals with user accounts. It might include functionalities for:
● User creation (POST /users/)
● User retrieval (GET /users/{id})

4.2 Post Management

The section "Posts" likely deals with managing posts within the social media app. It might include functionalities for:

● Creating posts (POST /posts/)

● Retrieving all posts (GET /posts/) or a specific post (GET /posts/{id})
● Updating posts (PUT /posts/{id})
● Deleting posts (DELETE /posts/{id})

Votes:

The section "Votes" likely deals with user interactions like upvoting or downvoting posts. It might involve functionalities
for:

108
 Open Access Research Journal of Engineering and Technology, 2024, 07(01), 105–112

Upvoting a post (a POST request to a /votes/ or /posts/{id}/votes endpoint)

Figure 5 Oauth2 authorization and JWT token management

OAuth2PasswordBearer Configuration: The OAuth2PasswordBearer class is set up with a tokenUrl, which

designates the endpoint where users can request a token by submitting their credentials. This class facilitates token-
based authentication within FastAPI, managing secure access through tokens.

Token Generation: Upon user login, a JSON Web Token (JWT) is created to authenticate subsequent requests. This
token embeds user-specific details and an expiration timestamp, which ensures the token's validity is confined to a
defined period. This method offers a secure way to manage user sessions without handling sensitive login credentials
directly.

Token Validation: The JWT is decoded to confirm its authenticity. This involves verifying the token’s signature and
checking that it has not expired. If the token passes these checks, the system retrieves the user’s details from the token;
otherwise, it triggers an authentication error. This validation process helps in accepting only valid tokens, thereby
enhancing overall security.

User Information Retrieval: After successful token verification, user details are fetched from the database based on
the information contained in the token. This process confirms that the API user is legitimate and authenticated, ensuring
accurate identification through the token’s data.

Authentication Endpoint: The `/login` endpoint enables users to authenticate by entering their credentials. On
successful authentication, a JWT is issued and returned. This token allows users to access restricted resources, ensuring
that only authorized individuals can interact with the protected parts of the system.

The token generation and validation process involves:

● Login Request: The user sends a request to log in with their credentials.
● Validate Credentials: The server checks if the credentials are correct.
● Token Generation: If valid, the server generates a JWT containing user information and signs it.
● Return JWT: The server sends the JWT back to the user.
● Access with JWT: The user includes the JWT in the Authorization header for accessing protected endpoints.
● Extract and Verify JWT: The server extracts the JWT, verifies its validity, and decodes it.
● Retrieve User Data: Based on the token's information, the server retrieves user data from the database to
fulfill the request.

109
 Open Access Research Journal of Engineering and Technology, 2024, 07(01), 105–112

Figure 6 Database with hashed passwords

Password Hashing:

Plain Text Danger: Storing passwords unencrypted is risky. Hackers breaching the database could steal them for
unauthorized access.

Hashing Magic: Password hashing acts like a one-way street. User passwords are fed into a mathematical function,
scrambling them into unique "hash" values. Importantly, this transformation is irreversible.

Storing Hashes: Instead of original passwords, the API securely stores these unique hash values in the database.
Hackers stealing these hashes wouldn't be able to decrypt them back to passwords.

Verification by Re-Hashing: During login, the API re-hashes the entered password and compares the resulting hash
with the stored one for that user. A match signifies successful authentication.

Security Cornerstone: Password hashing is essential for secure REST APIs. It safeguards user credentials, protects app
integrity, and builds user trust. Implementing it strengthens your defense against security threats.

5 Applications
Implementing robust API security is essential across diverse sectors to safeguard sensitive data and ensure system
integrity. In the financial industry, APIs that handle transactions and user authentication need strong security measures
such as token-based authentication and encryption to prevent fraud. Healthcare APIs must protect patient data and
adhere to regulations like HIPAA. E-commerce sites employ secure APIs for managing user accounts and payment
information. Social media and messaging platforms use encryption and stringent access controls to protect user privacy.
Cloud services and IoT devices also require effective security protocols to secure data and maintain safe operations.
Additionally, government and travel-related APIs must manage personal and payment data securely. Across these
various applications, effective security practices are crucial for protecting information and enabling secure interactions.

6 Conclusion
This research underscores the essential role of robust API security practices in protecting sensitive information and
ensuring secure interactions within various applications. The study highlights the effectiveness of token-based
authentication and password hashing in safeguarding user data and maintaining system integrity. Token-based
authentication, using JSON Web Tokens (JWTs), offers a secure approach for validating user identities and managing
access, ensuring that only authorized users can access protected resources.

Password hashing, particularly with `bcrypt`, is a critical component in securing user credentials. By hashing passwords
during user registration and verifying them during login, this method helps prevent unauthorized access and enhances
overall security. The research demonstrates the importance of implementing these practices to address common
vulnerabilities and ensure that user data remains safe from potential threats.

Moreover, the study stresses the importance of proper token management. Managing the lifecycle of access and refresh
tokens, including their secure storage and validity, is crucial for maintaining session security and preventing

110
 Open Access Research Journal of Engineering and Technology, 2024, 07(01), 105–112

unauthorized access. Ensuring tokens are correctly managed and expire as intended reinforces overall application
security.

Effective API security also involves more than just authentication and password management. It requires protecting
data through encryption, enforcing strict access controls, and securing API endpoints from common threats. The
research highlights that a comprehensive approach to API security includes technical measures, proper configuration
management, and adherence to industry best practices.

In summary, the research confirms that implementing strong API security measures is crucial for safeguarding sensitive
information and ensuring secure interactions. By incorporating secure authentication, password hashing, and diligent
token management into application development, organizations can significantly mitigate the risk of data breaches and
ensure secure operations. This thorough approach to API security is vital for protecting user data and upholding trust
in the digital realm.

Compliance with ethical standards

Disclosure of conflict of interest

No conflict of interest to be disclosed.

References
[1] Hoang, D.T., & Nguyen, H.T. (2020). Research Towards Key Issues of API Security. In Security in Computing and
Communication (pp. 221-232). Springer, Singapore.
[2] Gupta, D., & Jain, S. (2017, December). The Challenges of Security Testing for Restful APIs. In 2017 6th
International Conference on Cloud Computing, Data Science & Engineering (CONFLUENCE) (pp. 797-803). IEEE.
[3] Yoo, S., Jeon, H., & Kim, Y. (2017). API Security Testing: A Survey on Existing Techniques. In Security in Computing
and Communication (pp. 637-648). Springer, Singapore.
[4] Azad, B.A., Starov, O., Laperdrix, P., & Nikiforakis, N. (2020). RESTler: Stateful REST API Fuzzing. In 2020 41st
International Conference on Software Engineering (ICSE) (pp. 748-758). IEEE.
[5] Gupta, D., & Jain, S. (2018, July). API Security: Threat Landscape and Solutions. In 2018 International Conference
on Computing, Communication, and Security (ICCSEC) (pp. 1-6). IEEE.
[6] Dragoni, N., Winkler, S., & Massaro, V. (2017). Security Aspects of Microservices Architecture. IEEE Software,
34(4), 88-95.
[7] Costa, A., Buzzelli, D., & Martini, L. (2013). Towards Automated API Security Testing. In Proceedings of the 2013
ACM SIGSOFT International Symposium on Software Testing and Analysis (pp. 39-49).
[8] Sun, C., Zhang, Z., Wang, Y., Li, Z., & Suri, N. (2015). Model-based Security Analysis for Cloud APIs. In 2015 IEEE
International Conference on Services Computing (SERVICES) (pp. 718-727).
[9] Alqahtani, S., Iqbal, F., Mian, A. N., & Al-Qutayri, M. (2020). API Specification Security: A Survey. IEEE Access, 8,
123227-123253.
[10] Gupta, D., Jain, S., & Rishi, R. (2017). A Framework for API Security Testing. In 2017 International Conference on
Electrical, Computer and Communication Technologies (ICECCT) (pp. 1-6). IEEE.
[11] Manadhata, P. K., & Gupta, D. (2016, December). A framework for API security testing using attack trees. In 2016
2nd International Conference on Recent Advances in Information Technology (RAIT) (pp. 357-362). IEEE.
[12] Wang, Z., Zhang, Y., Qin, X., & Zhao, X. (2019, August). A security risk assessment method for RESTful APIs based
on attack trees. In 2019 International Conference on Security, Privacy and Pattern Recognition (SECURWARE)
(pp. 225-230). IEEE.
[13] Zhou, Y., Wu, Z., Wang, Y., & Sun, L. (2016, August). A novel approach to identify security vulnerabilities in web
APIs based on machine learning. In 2016 4th International Conference on Cloud Computing and Big Data (CCBD)
(pp. 425-430). IEEE.
[14] Zhang, C., Zheng, Y., & Xie, X. (2018, May). API security analysis with machine learning for anomaly detection. In
2018 IEEE International Conference on Software Testing, Verification and Validation (ICST) (pp. 90-100). IEEE.

111
 Open Access Research Journal of Engineering and Technology, 2024, 07(01), 105–112

[15] Yoo, S., Jeon, H., & Kim, Y. (2018, July). Automated API security testing using machine learning. In 2018
International Conference on Information and Communication Technology Convergence (ICTC) (pp. 831-834).
IEEE.
[16] Gupta, D., & Jain, S. (2019, November). Security challenges and testing techniques for GraphQL APIs. In 2019 10th
International Conference on Cloud Computing, Data Science & Engineering (CONFLUENCE) (pp. 301-306). IEEE.
[17] Zhang, Y., Wang, Z., Qin, X., & Zhao, X. (2020, December). A context-aware approach for security risk assessment
of RESTful APIs. In 2020 IEEE International Conference on Computational Science and Engineering (CSE) (pp.
1449-1454). IEEE.
[18] Zhang, Y., Wang, Z., Qin, X., & Zhao, X. (2020, March). A machine learning approach for identifying security
vulnerabilities in RESTful APIs. In 2020 International Conference on Security, Privacy and Pattern Recognition
(SECURWARE) (pp. 37-42). IEEE.
[19] Gupta, D., & Jain, S. (2019, December). A security testing framework for GraphQL APIs. In 2019 International
Conference on Intelligent Computing and Networking (ICINC) (pp. 832-837). IEEE.
[20] Gupta, D., Jain, S., & Rishi, R. (2018). API security testing using model-based approach. In 2018 International
Conference on Computing, Communication and Security (ICCSEC) (pp. 1-6). IEEE.
[21] Al-Jarrah, M., Yoo, S., & Kim, Y. (2019, July). A survey of API security testing tools. In 2019 International
Conference on Information and Communication Technology Convergence (ICTC) (pp. 1050-1053). IEEE.
[22] Huang, Y., Han, J., & Jiang, C. (2019, August). Towards lightweight and effective security analysis of RESTful APIs.
In 2019 International Conference on Security, Privacy and Pattern Recognition (SECURWARE) (pp. 83-88). IEEE.
[23] Gupta, D., & Jain, S. (2019, July). A comprehensive framework for API security testing. In 2019 International
Conference on Intelligent Computing and Networking (ICINC) (pp. 826-831). IEEE.
[24] Yu, T., Mao, Z., & Li, J. (2018, July). Detecting security vulnerabilities in APIs using API usage graphs. In 2018
International Conference on Big Data and Smart Computing (BigComp) (pp. 1-6). IEEE.
[25] Gupta, D., & Jain, S. (2017, December). Security testing of GraphQL APIs: Challenges and solutions. In 2017
International Conference on Computing, Communication and Security (ICCSEC) (pp. 1-6). IEEE.

112