Three Simple Practices for API Security

Allen Tipper, May 10th, 2011

We here at ProgrammableWeb see a lot of APIs. Many of them are pretty secure, and some sadly are not. So, what makes an API secure? Well, I’m glad you asked. There are a lot of things one can do to improve the security of an API. Below I’ll outline three simple practices that make up a good start for a secure API.

  • Use HTTPS If Possible.
  • HTTPS, or Secure Socket Layer, allows for encrypted communication while using the HTTP protocol. When transmitting such things as usernames and passwords, HTTPS can improve security greatly by encrypting the transmission so someone with a packet sniffing tool can’t see your usernames and passwords.

  • Don’t Transmit Important Data In Plaintext
  • You’d think this would be obvious, but I saw an API that reminded me that this is in fact not done in every circumstance. If you must transmit a password, do it with some sort of hash function, and through HTTPS preferably. Otherwise, that username and password, which knowing most users they probably use on 20-odd sites or so, is now compromised. A smart cracker (most people would say “hacker”, but it’s a misuse of the term) would then try that user/pass combo on things like GMail and such, then using the info found there to access nearly everything a user has. So, please, PLEASE don’t do this.

  • Sanitize Your Inputs
  • Most websites these days use either SQL or some sort of database for their sites, and usually for their APIs. A developer absolutely needs to sanitize their inputs so as to avoid SQL injection attacks. For those that don’t know, SQL injection attacks are when a malicious user is able to execute arbitrary SQL commands on a server they shouldn’t have access to, thereby becoming able to trash your entire database. Sanitizing inputs is basically scanning them and “escaping” anything suspicious, so the database doesn’t read them as commands but just as text.

There are always more issues to be considered, but here are a few basics that might save you as long as you keep them in mind when making an API. We always appreciate a good API, but data security is more important than the neatest wizbang thing. Don’t be the next Sony. Secure your API.

Both comments and pings are currently closed.

2 Responses to “Three Simple Practices for API Security”

June 8th, 2011
at 1:19 am
Comment by: Me

How does a hash function help for man-in-the-middle attacks? If the attacker can listen in on your non-https connection, they can definitely acquire your “hashed” password, and use it later in replay attacks.

June 10th, 2011
at 3:29 pm
Comment by: Dana Crane

Allen, I’d like to echo your comment around API key security. More and more of our customers are telling us that an API key is a good starting point for security, but it (and SSL) are just that – starting points. Maybe it’s because of the latest rash of cyber attacks, but what we’re hearing from security-conscious companies are demands for things like signing and encryption services, as well as the ability to validate or exchange tokens (i.e., SAML). If this sounds like heavyweight security for lightweight REST APIs, you’re correct, but much of it can be handled by an API Proxy, thereby insulating API developers.

Follow the PW team on Twitter

ProgrammableWeb
APIs, mashups and code. Because the world's your programmable oyster.

John Musser
Founder, ProgrammableWeb

Adam DuVander
Executive Editor, ProgrammableWeb. Author, Map Scripting 101. Lover, APIs.