API Security Tips

Listen to this Post

🐢▶️ Listen🚀

API security is critical for protecting sensitive data and ensuring secure communication between systems. Below are key security measures along with practical implementations.

✅ Use CSRF Tokens

Prevent Cross-Site Request Forgery (CSRF) attacks by generating and validating unique tokens.

Example (Django):

from django.middleware.csrf import get_token 
csrf_token = get_token(request) 

✅ HTTPS Encryption

Always enforce HTTPS to encrypt data in transit.

OpenSSL Command to Generate Self-Signed Certificate:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes 

✅ Secure Session Management

Use `HttpOnly`, `Secure`, and `SameSite` flags for cookies.

Example (Express.js):

app.use(session({ 
secret: 'your-secret-key', 
cookie: { 
httpOnly: true, 
secure: true, 
sameSite: 'strict' 
} 
})); 

✅ Token Expiration

Implement short-lived JWT tokens with refresh mechanisms.

Example (Node.js):

const jwt = require('jsonwebtoken'); 
const accessToken = jwt.sign({ user: 'id' }, 'secret', { expiresIn: '15m' }); 
const refreshToken = jwt.sign({ user: 'id' }, 'refresh-secret', { expiresIn: '7d' }); 

✅ Rate Limiting

Prevent brute-force attacks by limiting request rates.

Example (Nginx):

limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s; 
location /api/ { 
limit_req zone=api_limit burst=20; 
} 

✅ Input Validation & Sanitization

Protect against SQL injection and XSS attacks.

Example (PHP with PDO):

$stmt = $pdo->prepare('SELECT  FROM users WHERE email = :email'); 
$stmt->execute(['email' => filter_var($email, FILTER_SANITIZE_EMAIL)]); 

✅ Security Headers

Add HTTP headers to mitigate common attacks.

Example (Apache):

Header set X-Content-Type-Options "nosniff" 
Header set X-Frame-Options "DENY" 
Header set Content-Security-Policy "default-src 'self'" 

✅ Logging & Auditing

Track API access for security analysis.

Example (Linux Logging):

sudo tail -f /var/log/nginx/access.log | grep 'POST /api/login' 

✅ Disable Directory Listing

Prevent unauthorized file access.

Example (Apache):

Options -Indexes 

✅ CORS Configuration

Restrict cross-origin requests to trusted domains.

Example (Express.js):

app.use(cors({ 
origin: ['https://trusted-domain.com'], 
methods: ['GET', 'POST'] 
})); 

✅ Disable Default Error Messages

Avoid exposing system details in errors.

Example (PHP):

ini_set('display_errors', '0'); 

✅ Security Testing

Run automated scans for vulnerabilities.

Example (Using OWASP ZAP):

docker run -v $(pwd):/zap/wrk -t owasp/zap2docker zap-baseline.py -t https://your-api.com 

✅ API Versioning

Maintain backward compatibility.

Example (URL-based versioning):

[/bash]
https://api.example.com/v1/users

✅ Throttle Login Attempts 
Prevent brute-force attacks.

Example (Linux Fail2Ban): 
[bash]
sudo fail2ban-client set sshd addignoreip 192.168.1.1 

✅ Secure API Documentation

Hide sensitive endpoints in Swagger/OpenAPI docs.

Example (Swagger):

securitySchemes: 
BearerAuth: 
type: http 
scheme: bearer 

What Undercode Say

API security is not optional—it’s mandatory. Implement these best practices to safeguard your systems. Use Linux commands like fail2ban, openssl, and `nginx` configurations to harden security. Always validate inputs, enforce HTTPS, and log activities.

Expected Output:

A secure API with encrypted traffic, rate-limited endpoints, proper CORS policies, and no exposed sensitive data.

Relevant URLs:

• OWASP API Security Top 10
• Let’s Encrypt (Free HTTPS Certificates)
• JWT Best Practices

References:

Reported By: Sina Riyahi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram