Listen to this Post
APIs are critical components in modern applications, but they also present significant security risks if not properly secured. Below are essential API security practices along with practical commands, code snippets, and steps to implement them.
1. API Logging & Auditing
Track API activity to detect suspicious behavior.
Linux Command:
sudo tail -f /var/log/nginx/access.log | grep "POST /api"
Python (Flask logging):
import logging logging.basicConfig(filename='api_activity.log', level=logging.INFO)
2. HTTP Encryption (HTTPS)
Always use HTTPS to secure data transmission.
OpenSSL Command:
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
Nginx HTTPS Configuration:
server {
listen 443 ssl;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
}
3. Security Headers
Prevent XSS, clickjacking, and other attacks.
Apache Configuration:
Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "DENY" Header set Content-Security-Policy "default-src 'self'"
4. Data Encryption
Encrypt sensitive data at rest and in transit.
GPG Encryption (Linux):
gpg --encrypt --recipient [email protected] sensitive_data.txt
5. Throttle Login Attempts
Prevent brute-force attacks.
Fail2Ban (Linux):
sudo apt install fail2ban sudo systemctl enable fail2ban
6. Safe API Documentation
Avoid exposing sensitive API details.
Swagger Security Config (Node.js):
const options = {
swaggerOptions: {
supportedSubmitMethods: []
}
};
7. Token Expiration
Set short-lived JWT tokens.
Python (PyJWT):
import jwt
token = jwt.encode({"exp": datetime.datetime.utcnow() + datetime.timedelta(minutes=30)}, "secret")
8. Disable Default Errors
Avoid exposing system details.
Django Settings:
DEBUG = False ALLOWED_HOSTS = ['yourdomain.com']
9. Sanitize Input
Prevent SQL injection.
SQL Parameterized Query (Python):
cursor.execute("SELECT FROM users WHERE username = %s", (user_input,))
10. CORS Configuration
Restrict API access to trusted domains.
Express.js CORS Setup:
const cors = require('cors');
app.use(cors({ origin: 'https://trusted.com' }));
11. Secure Session Management
Use HTTP-only, secure cookies.
Flask Session Config:
app.config['SESSION_COOKIE_HTTPONLY'] = True app.config['SESSION_COOKIE_SECURE'] = True
12. Access Control
Implement role-based access.
Linux File Permissions:
chmod 750 /sensitive_directory
13. Rate Limiting
Prevent API abuse.
Nginx Rate Limiting:
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
14. API Versioning
Deprecate old versions securely.
URL-Based Versioning:
https://api.example.com/v1/resource
15. CSRF Tokens
Prevent cross-site request forgery.
Django CSRF Middleware:
MIDDLEWARE = ['django.middleware.csrf.CsrfViewMiddleware']
What Undercode Say
API security is non-negotiable in today’s threat landscape. Implementing encryption, logging, and strict access controls ensures resilience against attacks. Always validate inputs, enforce HTTPS, and monitor API traffic for anomalies.
Expected Output:
- Secure API endpoints with HTTPS.
- Log and audit API access.
- Enforce strict CORS policies.
- Use rate limiting to prevent abuse.
- Regularly rotate and expire tokens.
Relevant URLs:
References:
Reported By: Satya619 %F0%9D%97%A7%F0%9D%97%BC%F0%9D%97%BD – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
