Member-only story
Python Best Practices to Secure APIs
Protect your API from three dimensions
API has become a foundational element of today’s app-driven world. Many companies including Amazon have adopted the API-first approach. It views the role of APIs as independent products, rather than integration solutions with other systems.
By design, APIs expose valuable information to the world such as public weather data and private sensitive Personally Identifiable Information (PII) data, and because of this, APIs have become new targets for hackers. Without secure APIs, building successful products would be impossible.
This article is supposed to be a wake-up call if you haven’t applied any security strategy to your API yet. As usual, I will be providing Python implementation for some of the best practices. Securing your API can be viewed as a non-functional requirement (NFR). In common with other NFRs like performance and reliability, it’s hard to define when exactly the API is secure enough.
That’s why many companies would hire a third party to execute an API penetration test to have a fair judgment. In short, the pen tester will try to hack against your API to check for any exploitable vulnerability.
Context of API Security
First things first. Why do we even need to care about API security? API defines a set of operations that the caller can use. If I don’t want this operation to be called, then I can simply exclude it or put it behind a firewall.
To answer this question, we need to know what exactly we need to secure. API security involves several security disciplines: information security, network security, and application security.
Information security is concerned with the protection of sensitive data. Each endpoint is an operation applied to one or more objects. The operation of an object can be accessible to only a group of users with a special role.
People with different roles can sit in the same room sharing the same wifi, thus simply blocking the network is not an optimal solution. A sort of authentication and authorization needs to be done when API receives requests from the client.
The difference between authentication and authorization…
