REST API Security Best Practices

The top 5 REST API security best practices

Although REST APIs can be implemented in a highly secure and resilient manner, there are a number of foundational API security standards that are critical to any implementation. 

The top five ways to build security into a REST API design are:

1. Always use TLS encryption

2. Implement a sound and scalable authentication and authorization model

3. Don’t include sensitive information in URLs

4. Narrowly define allowed RESTful API requests and responses

5. Implement continuous API discovery capabilities

Always use TLS encryption

As with other types of sensitive HTTP traffic, using TLS for RESTful APIs will ensure encryption of all communication between the API consumer and the API endpoint. This is as important for REST API security as for web app security, since the resulting HTTP traffic includes sensitive authentication details, such as passwords, API keys, or tokens.

Implement a sound and scalable authentication and authorization model

Many different techniques can be used to manage access to REST APIs. The most commonly used techniques are API keys and security tokens. But managing keys and tokens can be quite complex.

This often leads to unintentional REST API security vulnerabilities. This risk can be mitigated by integrating with an OAuth 2.0–compatible identity management provider for authentication and issuance of access tokens. A centralized API gateway can also be used to standardize and protect your REST API security approach.

Don’t include sensitive information in URLs

A common REST API design flaw is the inclusion of sensitive information — including user credentials, keys, or tokens — in URLs. Even when TLS is in use, this information remains easy for threat actors to discover. URLs are also frequently logged by various servers and networking devices along the API request’s data path, resulting in further data leakage if the URLs include sensitive information.

Narrowly define allowed RESTful API requests and responses

It’s important to assume that threat actors will attempt to use APIs in malicious or unintended ways. Therefore, it’s important not to implicitly trust RESTful API requests. One of the most important steps to take is to validate attributes like the format, length, and type of any parameters or objects.

You should also tightly govern the types of responses that the REST API can provide. For example, responses should be limited to explicitly allowed content types, such as GET, PUT, and POST.

Implement continuous API discovery capabilities

Even organizations that adhere to REST API security best practices can be caught by surprise by shadow APIs that were implemented outside of normal processes or by forgotten zombie APIs in legacy infrastructure that hasn’t yet been decommissioned. It’s therefore essential to implement continuous, enterprise-wide API discovery capabilities.

The best way to ensure that a complete inventory for all APIs exists is by collecting data from all available sources of API activity information, including: 

• API gateways

• Content delivery networks

• Cloud provider logs

• Log management systems

• Orchestration tools

Analyzing this data for evidence of API activity will ensure that your security team is aware of all APIs in use across the enterprise. Any unexpected REST APIs that are discovered can then be decommissioned or brought into a formalized inventory with the application of appropriate REST API best practices.

The top 4 advanced REST API security best practices

Implementing a set of foundational security standards in your REST API design is an essential first step, but these steps alone will not keep your applications completely safe. Many threat actors have developed advanced techniques for circumventing baseline RESTful API security measures. After all, not every REST API security attack has the aim of breaching the web application infrastructure.

In many cases, the goal is simply to use API functionality in unintended ways to access sensitive data and gain a competitive advantage. These activities may originate from trusted sources, such as customers or partners who have been granted access to REST APIs. Credentials, keys, and tokens can also be stolen or hijacked, allowing threat actors to advance similar activities beyond your baseline REST API security standards.

To provide added protection against these more sophisticated forms of API abuse, you can use the following four advanced REST API security best practices:

1. Use the cloud to collect large sets of REST API security data

2. Apply behavioral analytics to your REST API data

3. Provide insights about REST API usage to development and operations teams

4. Conduct proactive REST API threat hunting activities

Use the cloud to collect large sets of REST API security data

Many first-generation API security techniques operate on-premises. As a result they are limited to analyzing very short windows of activity, after which the API data is discarded. This is ineffective since many types of API abuse are conducted in a low-and-slow manner over weeks — or even months. Sending API activity data to the cloud unlocks the scale needed to store API details that span a month or more. This opens the door to more sophisticated analysis techniques.

Apply behavioral analytics to your REST API data

Once you have a meaningful quantity of REST API activity information, you can also tap into the computing scale of the cloud to perform behavioral analytics. The first way that this enhances your REST API security strategy is by identifying the entities involved, so you have greater context. Entities may include users as well as meaningful business processes.

When you have this context, you can baseline normal patterns of usage for your APIs. From there, you can perform further analysis to detect anomalies. This type of anomaly detection is the best way to spot abuse, particularly when it originates from authenticated users.

Provide insights about REST API usage to development and operations teams

One of the best ways to protect your organization from REST API security vulnerabilities is by avoiding them entirely. Sharing information about how your RESTful APIs are being used — and abused — with your developers and operations personnel will help your organization “shift left” with better REST API security practices early in the development and implementation processes.

Conduct proactive REST API threat hunting activities

It is important not to wait until REST API abuse escalates into a high-severity security incident to act. Proactively investigating REST API usage and looking for attempts at abuse — even if they are unsuccessful — will help you find weaknesses in your REST API security practices. 

Examining API usage activity is also an effective way to uncover the presence of REST API security vulnerabilities, such as those outlined in the Open Web Application Security Project (OWASP) API Security Top 10. Finding and eliminating these vulnerabilities before threat actors can exploit them is one of the most effective ways to enhance your REST API security posture.

Ready to get started?

Akamai helps some of the world’s most recognized organizations implement both foundational and advanced REST API security best practices. From API discovery to behavioral analytics to managed threat hunting, our approach will help you accelerate your REST API security efforts.