End-to-End

API Security
A guide to securing your web service APIs

End-to-End API Security

1 / 32
 Table of Content

1. Introduction..................................................................................................... 03

2. Confronting the Security Challenges of APIs....................................................... 05

3. API Security Considerations............................................................................. 08

3.1. The API gateway pattern......................................................................... 09
3.2. API access control................................................................................. 10
3.2.1. Authentication............................................................................. 10
3.2.1.1. Basic authentication.................................................... 10
3.2.1.2. OAuth 2.0...................................................................... 11
3.2.1.3. OIDC-based authentication......................................... 17
3.2.1.4. API key-based authentication...................................... 17
3.2.1.5. Mutual SSL authentication.......................................... 18
3.2.2. Authorization .............................................................................. 19
3.2.2.1. Role-based access control........................................... 19
3.2.2.2. XACML-based access control...................................... 20
3.2.2.3. Open Policy Agent (OPA).............................................. 21
3.2.2.4. Speedle+...................................................................... 21
3.2.3. Rate Limiting ................................................................................ 22
3.3. API Protection....................................................................................... 23
3.3.1. CORS Protection .......................................................................... 23
3.3.2. Bot Detection ............................................................................... 24
3.3.3. Protection against Malicious Payloads ....................................... 24
3.3.4. Data Masking and Data Redaction ................................................ 25
3.3.5. Fraud Detection ........................................................................... 25
3.4. Propagating Security Contexts to APIs.................................................... 26
3.5. OWASP Top 10 API Threats..................................................................... 27
28
3.7. Wrap-up................................................................................................ 29

4. Conclusion...................................................................................................... 30

End-to-End API Security

2 / 32
1

Introduction

End-to-End API Security

3 / 32
 APIs are a cornerstone technology for organizations seeking to digitally transform
their business. Exposing corporate data and custom-built functionality through a
standardized set of web service endpoints allows companies to enhance the value
of strategic partnerships, rapidly develop new digital products, and personalize expe-
riences for their customers. As the world relies more heavily on digital connections,
many leadership teams are relying even more on their API programs to respond to
rapidly changing customer and market demands.

MarketsandMarkets.

5.1 Billion

1.2 Billion

2018 2023
32.9%

End-to-End API Security

4 / 32
2

Confronting
the Security
Challenges
of APIs

End-to-End API Security

5 / 32
 -

their use.

According to 1
-

In 2018, an uncaught vulnerability in Facebook’s Developer API

In 2019, a data breach at JustDial

at risk due to an unprotected publicly accessible API endpoint.
Later that same year, a developer discovered an API key in a public

access control systems.

Figure 2: Data breach at JustDial

End-to-End API Security

6 / 32
 accessible codebase.

and their customers’ data.

-
igent reader to research secure development processes and practices to ensure privileged data is not

End-to-End API Security

7 / 32
3

API
Security
Considerations

End-to-End API Security

8 / 32
 Access control
API protection
Threat detection

3.1 The API gateway pattern

-
-
sively address API security concerns and prevent misuse.

and devices.

End-to-End API Security

9 / 32
3.2 API access control

3.2.1 Authentication

3.2.1.1 Basic authentication

WWW-Authenticate: Basic realm =

CLIENT SERVER
Authorization : Basic

200 OK

Figure 3: Basic authentication

End-to-End API Security

10 / 32
 -

Due to the concerns mentioned above, using basic authentication has become a less secure approach

3.2.1.2 OAuth 2.0

Resource Server
Client Application
Authorization Server

End-to-End API Security

11 / 32
 Here is a brief description of each role.

Resource Owner

Resource Server
-

Client Application
The client application is the application requesting access to the resources stored on the resource

requesting access to a user’s social media account.

Authorization Server

A detailed description of OAuth 2.0 can be found on this website for further reading.

into the picture.

End-to-End API Security

12 / 32
 OAuth 2.0 Grant Types

When it comes to OAuth 2.0-based authentication, there are several key components. Those are the

Authorization Code Grant

1. Authorization Request
USER
(Resource Owner)

Authorization
APPLICATION 4. Access Token Server
(Client)

5. Access Token
Resource
6. Protected Resource Server

End-to-End API Security

13 / 32
 Password Grant Type
-
vice operating system or a highly privileged application). The client should be able to obtain the creden-

Resource
Owner

Client Authorization
Server

Resource
Server

Client Credentials Grant Type

(A) Client Credentials

Client Authorization
(B) Access Token Server

Resource
Server

End-to-End API Security

14 / 32
 Kerberos OAuth2 Grant Type

1. Client Logon
Client
5. Client-to-Server ticket

4. Client-to-Server ticket Ticket Granting Server

Server

Figure 7: Kerberos grant type

Refresh Token Grant Type

(A) Authorization grant

(C) Access Token

(D) Protected resources

Resource
Client Authorization
Server
Server
(F) Invalid token error

End-to-End API Security

15 / 32
 JWT Grant Type

1
Authentication
Server

2 JWT

3 JWT

Application
Server
4

A detailed technical description

reading.

End-to-End API Security

16 / 32
 3.2.1.3 OIDC-based authentication

(B)
End User User Agent Open ID Provider
(C) Authorization code

(A) (C)

Relying Party
(F) RP validates ID
(F)
Token per specs

the access token

using at_hash

(K) Resource Server Resource Server/

(API Provider)
API Provider
validates access token
(K)

3.2.1.4 API key-based authentication

API Key

Request Header
{ “api-key”: “9038-20380-9340-98”}

Request
Application

Figure 11: API key-based authentication

End-to-End API Security

17 / 32
 3.2.1.5 Mutual SSL authentication

server.crt client. crt

1. Protected service requested

Client Server

Client key store Server key store

(client.crt) (server.crt)

Figure 12: Mutual SSL

End-to-End API Security

18 / 32
 3.2.2 Authorization

3.2.2.1 Role-based access control

API ShoppingCartAPI

Resource Items (/items)

Action

Roles manager manager, employee manager

End-to-End API Security

19 / 32
 3.2.2.2 XACML-based access control

Attribute-Based Access Control (ABAC) and evaluation are supported by XACML. These evaluations are

Deny/ Create
Policy Enforcement Permit Policy Decision Policy Administration Policy
Application
Point (PEP) Point (PDP) Point (PAP)

Descriptive Deploy Store

attributes Policy Policy

Attribute Policy Information Point Policy

Store (PIP) Repository

End-to-End API Security

20 / 32
 3.2.2.3 Open Policy Agent (OPA)

Kubernetes setups.

In OPA, the policy decisions are generated by evaluating the query input and against policies and data.

day the system can be accessed, etc.

3.2.2.4 Speedle+

can be used in API management scenarios, cloud-native applications, and legacy applications. This

-
guage, authorization decision service, and a command-line tool. When securing APIs using a role-based
access control (RBAC), Speedle is a good alternative that deserves attention.

This Speedle resources page

End-to-End API Security

21 / 32
 3.2.3 Rate Limiting

To avoid these problems, the best solution is to have a rate-limiting mechanism. The limiting conditions

End-to-End API Security

22 / 32
3.3 API Protection

3.3.1 CORS Protection

Web Server
(domain-a.com)
Image
(domain-a.com)

Same-origin requests (always allowed)

Canvas w/image from

domain-b.com Web Server
(domain-b.com)

Web document
domain-a.com Cross-origin requests (controlled by CORS)

End-to-End API Security

23 / 32
 3.3.2 Bot Detection

make necessary changes to the system.

system (and other APIs).

3.3.3 Protection against Malicious Payloads

those becomes vital. These days, it is very hard to trust every request that comes to a particular API,

-
opers can take necessary prevention actions in advance.

End-to-End API Security

24 / 32
 3.3.4 Data Masking and Data Redaction
-

-
cation purposes (and nothing more than that).

3.3.5 Fraud Detection

relies on the credentials (or tokens), the attacker can do anything pretending to be a legitimate consum-

some valid credentials are used.

End-to-End API Security

25 / 32
3.4 Propagating Security Contexts to APIs

and grant/deny the request based on the claims.

End-to-End API Security

26 / 32
3.5 OWASP Top 10 API Threats

systems, leading to business disruption and monetary loss.

Open Web Application Se-

1.
2.
3.
4.
5. Broken Function Level Authorization
6. Mass Assignment
7.
8.
9. Improper Assets Management
10.

To build a secure API ecosystem, preventing these threats becomes key. At the same time, these stan-

End-to-End API Security

27 / 32
3.6

The -

End-to-End API Security

28 / 32
3.7 Wrap-up

product guides to create and manage APIs that are secure by design (in most cases).

End-to-End API Security

29 / 32
4

Conclusion

End-to-End API Security

30 / 32
 ecosystem.

End-to-End API Security

31 / 32
 wso2.com

End-to-End API Security

32 / 32