SlideShare ist ein Scribd-Unternehmen logo

Securing Your API

Jason Austin
Jason Austin

Providing an Application Programming Interface (or API) has become a crucial piece of the modern web application. API’s provide opportunities to build the ecosystem around your application, opening doors for collaboration and innovative mashups. However, the API opens up another entry point into your application, requiring that you somehow secure the access to it. This talk will outline some of the options you have when securing your API. I’ll give overviews and implementation tips on some of the more popular schemes such as OAuth, HTTP authentication, and generating API keys. We’ll also look at some general API best practices such as rate limiting, error handling, and secure data communication.

Technologie
1 von 43
Downloaden Sie, um offline zu lesen
Securing Your API Jason Austin - @jason_austin - jfaustin@gmail.com Thursday, May 26, 2011
A Quick Rundown • API overview • API methodologies • Security methodologies • Best practices Thursday, May 26, 2011
API vs. Web Service • API = Application Programming Interface • Web Service = API that operates over HTTP • In this presentation, API == Web Service Thursday, May 26, 2011
Why Create An API • Extend your product reach • Encourage mashups • Expose your data programmatically • Connect with developers Thursday, May 26, 2011
API Success Stories • Twitter • Foursquare • Facebook Thursday, May 26, 2011
Popular Methodologies • REST • XML-RPC • SOAP Thursday, May 26, 2011
REST Service • Representational State Transfer • Architecture, not a standard • HTTP-based Thursday, May 26, 2011
RESTful • Client-Server • Self-contained Requests (Stateless) • Cacheable • Named, Layered Resources http://brewerydb.com/api/breweries/2324 http://brewerydb.com/api/beers/435 Thursday, May 26, 2011
REST over HTTP • GET - Read-only, for retrieving information • POST - Creating a new resource • PUT - Updating an existing resource • DELETE - Deleting an existing resource Thursday, May 26, 2011
REST Security • None built in • Encryption over HTTPS • Left to the implementer • Error handling left to implementer Thursday, May 26, 2011
SOAP Service • Simple Object Access Protocol • XML-based • Uses GET for read, POST for write • W3C Specification for sending and receiving messages Thursday, May 26, 2011
SOAP Security • Nothing provided in spec • WS-Security • Extension to SOAP spec • Provided as a guide for securing SOAP services Thursday, May 26, 2011
WS-Security • Guidelines for solving 3 problems • Identify and authenticate a client • Ensure integrity of the message • Curtail eavesdropping while in transit • Defines mechanisms as opposed to actual protocols • http://www.oasis-open.org/committees/wss/ Thursday, May 26, 2011
XML-RPC Service • XML Remote Procedure Call • XML-based • Uses HTTP-POST • Spec published by UserLand Software in ~1998 Thursday, May 26, 2011
XML-RPC • Uses XML to specify a method and parameters • Simple data structures, no objects • Arrays and Structs most complex Thursday, May 26, 2011
XML-RPC Security • None in the spec • Encryption over HTTPS • Security left to the implementer • Error handling - <fault> base response element Thursday, May 26, 2011
Security Mechanisms • OAuth • BasicAuth • API Keys Thursday, May 26, 2011
OAuth 1.0 Think of it as a valet key for your internet accounts... Open standard for API access delegation RFC 5849 - The OAuth 1.0 Protocol Published April 2010 Thursday, May 26, 2011
OAuth 1.0 Players • Service Provider (Server)- Has the information you want • Consumer (Client) - Wants the information from the Service Provider • User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider Thursday, May 26, 2011
Thursday, May 26, 2011
Benefits of OAuth 1.0 • Applications don’t need a user’s password • Power in the hands of the user • Secure handshake • Doesn’t require SSL • Many libraries available Thursday, May 26, 2011
OAuth 1.0 Pitfalls • Signatures based on complex cryptography • Server-side implementation is complex Thursday, May 26, 2011
OAuth - Roll Your Own • Consumer Registration and Management • User pass-through, grant access • Consumer access management by User • Token storage and generation • 2-legged vs. 3-legged Thursday, May 26, 2011
OAuth 2.0 - Coming Soon • Removes signature requirement except on token acquisition • Requires SSL • Single security token, no signature required • Guidelines for use with Javascript and applications with no web browser Thursday, May 26, 2011
More Info on OAuth • OAuth Spec http://oauth.net/ • OAuth 2.0 Information http://oauth.net/2/ • Lorna’s OAuth Blog Series http://www.lornajane.net/ Thursday, May 26, 2011
BasicAuth • Passes a username and password with the request • Defined by the HTTP specification Thursday, May 26, 2011
BasicAuth Do’s • SSL is a must • Username / Password is transmitted in cleartext • Base64 encoded, but not encrypted • Basic > Digest • Basic assumes authentication is required • Digest requires extra transfer for nonce Thursday, May 26, 2011
BasicAuth Pros • Client requests are easy • Part of nearly every HTTP request library • Server setup is easy • Use existing BasicAuth credentials Thursday, May 26, 2011
BasicAuth Cons • Requires a username and password for a user • Credentials are not, by default, encrypted • Requires username and password to be embedded in client code Thursday, May 26, 2011
Access Keys • Not based on any standard • Implementation requirements are up to the service provider • Keys -> signatures Thursday, May 26, 2011
Access Key Basics • Part of URL http://pintlabs.com/api?key=23sdbk32 • Sign request with key instead of passing it in URL • Use params + shared secret as signature Thursday, May 26, 2011
Signed Request Workflow ?key=val Client sign ?key=val&signature=23kcwej323 vje48hvn4 ?key=val&signature=23kcwej323 Server ?key=val sign vje48hvn4 23kcwej323 == 23kcwej323 Thursday, May 26, 2011
Access Keys Pros • Easy to generate keys and distribute them • Typically removes the need to transfer username and password in raw form • Signed requests prevents altering parameters Thursday, May 26, 2011
Access Keys Cons • Unsigned • Must embed them in code • SSL is not required, so will (by default) transfer in plaintext • Signed • Encryption is scary....ish Thursday, May 26, 2011
Best Practices for Keys • Use signed requests over unsigned • One key per application per developer • Require username in headers Thursday, May 26, 2011
General Best Practices • Rate Limiting • Access Control • Error Handling • SSL Layer • API Domain “Stupid is as Stupid Does” - Gump Thursday, May 26, 2011
Rate-Limiting • Keeps API access in check • Authenticated and Unauthenticated calls should be subject to rate limiting • Best practice • Have a standard, application wide rate limit • Allow that limit to be overridden on a per user, per application basis Thursday, May 26, 2011
Rate-Limiting Best Practices • Authenticated • Have a standard, application wide rate limit • Allow that limit to be overridden on a per user, per application basis • Unauthenticated • Based on domain or IP address • Allow limit to be overridden as well Thursday, May 26, 2011
Access Control • Treat API endpoints just as service endpoints in your application • Have a standard API access site wide • Allow override on a per-user, per- application basis. • Allows you to roll out features to a select group or user Thursday, May 26, 2011
Error Handling • Set appropriate HTTP headers • Provide viable, valid error messages • Log errors for the API too • Have a standard error response object for all methods, including authentication Thursday, May 26, 2011
SSL Layer • Encrypts all traffic to and from your API • Can cause performance hit • ~10-15% in trials • Depending on protocol, should be a requirement Thursday, May 26, 2011
API Domain • Use sub-domain • Can move to separate webserver • Handle traffic requirements Thursday, May 26, 2011
Questions? Jason Austin - @jason_austin - jfaustin@gmail.com http://joind.in/3427 Thursday, May 26, 2011

Empfohlen

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 

Empfohlen

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101mateenzero
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Broken access control
Broken access controlBroken access control
Broken access controlPriyanshu Gandhi
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security LayerApigee | Google Cloud
 
Web services
Web servicesWeb services
Web servicesSalvador Fernández Fernández
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101mateenzero
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 

Was ist angesagt? (20)

Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Broken access control
Broken access controlBroken access control
Broken access control
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Sql injection
Sql injectionSql injection
Sql injection
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Application Security
Application SecurityApplication Security
Application Security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 

Andere mochten auch

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
How Beer Made Me A Better Developer
How Beer Made Me A Better DeveloperHow Beer Made Me A Better Developer
How Beer Made Me A Better DeveloperJason Austin
 
Role of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIRole of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIWSO2
 
Application programming interface
Application programming interfaceApplication programming interface
Application programming interfaceOmar Jadalla
 
HTML Tour - Construyendo tu ecosistema de desarrollo Web
HTML Tour - Construyendo tu ecosistema de desarrollo WebHTML Tour - Construyendo tu ecosistema de desarrollo Web
HTML Tour - Construyendo tu ecosistema de desarrollo WebPlain Concepts
 
Developer Program Metrics - Case Study - 2014
Developer Program Metrics - Case Study - 2014Developer Program Metrics - Case Study - 2014
Developer Program Metrics - Case Study - 2014Bruce Jones
 
API Strategy Presentation
API Strategy PresentationAPI Strategy Presentation
API Strategy PresentationLawrence Coburn
 
Building RESTful APIs
Building RESTful APIsBuilding RESTful APIs
Building RESTful APIsSilota Inc.
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTAllSeen Alliance
 
Todas las APIs de Google
Todas las APIs de GoogleTodas las APIs de Google
Todas las APIs de GoogleCarlos Toxtli
 
Api - visión general - MeliDevConf BsAs.
Api - visión general - MeliDevConf BsAs.Api - visión general - MeliDevConf BsAs.
Api - visión general - MeliDevConf BsAs.melidevelopers
 
Getting Started with Amazon DynamoDB
Getting Started with Amazon DynamoDBGetting Started with Amazon DynamoDB
Getting Started with Amazon DynamoDBAmazon Web Services
 
API 101 - Understanding APIs.
API 101 - Understanding APIs.API 101 - Understanding APIs.
API 101 - Understanding APIs.Kirsten Hunter
 

Andere mochten auch (20)

APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
Web services
Web servicesWeb services
Web services
 
Trascendiendo los sitios web
Trascendiendo los sitios webTrascendiendo los sitios web
Trascendiendo los sitios web
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
How Beer Made Me A Better Developer
How Beer Made Me A Better DeveloperHow Beer Made Me A Better Developer
How Beer Made Me A Better Developer
 
Role of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIRole of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EI
 
Application programming interface
Application programming interfaceApplication programming interface
Application programming interface
 
HTML Tour - Construyendo tu ecosistema de desarrollo Web
HTML Tour - Construyendo tu ecosistema de desarrollo WebHTML Tour - Construyendo tu ecosistema de desarrollo Web
HTML Tour - Construyendo tu ecosistema de desarrollo Web
 
Developer Program Metrics - Case Study - 2014
Developer Program Metrics - Case Study - 2014Developer Program Metrics - Case Study - 2014
Developer Program Metrics - Case Study - 2014
 
Introduction to Web Services
Introduction to Web ServicesIntroduction to Web Services
Introduction to Web Services
 
API Strategy Presentation
API Strategy PresentationAPI Strategy Presentation
API Strategy Presentation
 
Building RESTful APIs
Building RESTful APIsBuilding RESTful APIs
Building RESTful APIs
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
 
Todas las APIs de Google
Todas las APIs de GoogleTodas las APIs de Google
Todas las APIs de Google
 
Api - visión general - MeliDevConf BsAs.
Api - visión general - MeliDevConf BsAs.Api - visión general - MeliDevConf BsAs.
Api - visión general - MeliDevConf BsAs.
 
Getting Started with Amazon DynamoDB
Getting Started with Amazon DynamoDBGetting Started with Amazon DynamoDB
Getting Started with Amazon DynamoDB
 
Api presentation
Api presentationApi presentation
Api presentation
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
 
API 101 - Understanding APIs.
API 101 - Understanding APIs.API 101 - Understanding APIs.
API 101 - Understanding APIs.
 

Ähnlich wie Securing Your API

Apereo OAE - Architectural overview
Apereo OAE - Architectural overviewApereo OAE - Architectural overview
Apereo OAE - Architectural overviewNicolaas Matthijs
 
Building mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHPBuilding mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHPfunkatron
 
Damien Tanner, Pusher
Damien Tanner, PusherDamien Tanner, Pusher
Damien Tanner, PusherMashery
 
OSDC 2011 | Marionette - System Control Utility by Cody Herriges
OSDC 2011 | Marionette - System Control Utility by Cody HerrigesOSDC 2011 | Marionette - System Control Utility by Cody Herriges
OSDC 2011 | Marionette - System Control Utility by Cody HerrigesNETWAYS
 
Web micro-framework BATTLE!
Web micro-framework BATTLE!Web micro-framework BATTLE!
Web micro-framework BATTLE!Richard Jones
 
Solr installation
Solr installationSolr installation
Solr installationZHAO Sam
 
Connecting Any Web Services
Connecting Any Web ServicesConnecting Any Web Services
Connecting Any Web ServicesSafe Software
 
High Volume Web API Management with WSO2 ESB
High Volume Web API Management with WSO2 ESBHigh Volume Web API Management with WSO2 ESB
High Volume Web API Management with WSO2 ESBWSO2
 
Building high traffic http front-ends. theo schlossnagle. зал 1
Building high traffic http front-ends. theo schlossnagle. зал 1Building high traffic http front-ends. theo schlossnagle. зал 1
Building high traffic http front-ends. theo schlossnagle. зал 1rit2011
 
Service-Oriented Design and Implement with Rails3
Service-Oriented Design and Implement with Rails3Service-Oriented Design and Implement with Rails3
Service-Oriented Design and Implement with Rails3Wen-Tien Chang
 
Apache Sever Technology By Greg Williams
Apache Sever Technology By Greg WilliamsApache Sever Technology By Greg Williams
Apache Sever Technology By Greg WilliamsGregWilliams65325
 
Oct meetup open stack 101 clean
Oct meetup open stack 101 cleanOct meetup open stack 101 clean
Oct meetup open stack 101 cleanbenrodrigue
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
 
MySQL DW Breakfast
MySQL DW BreakfastMySQL DW Breakfast
MySQL DW BreakfastIvan Zoratti
 
Why RESTful Design for the Cloud is Best
Why RESTful Design for the Cloud is BestWhy RESTful Design for the Cloud is Best
Why RESTful Design for the Cloud is BestGalder Zamarreño
 
Phase two of OpenAthens SP evolution including OpenID connect option
Phase two of OpenAthens SP evolution including OpenID connect optionPhase two of OpenAthens SP evolution including OpenID connect option
Phase two of OpenAthens SP evolution including OpenID connect optionEduserv
 
Comet: by pushing server data, we push the web forward
Comet: by pushing server data, we push the web forwardComet: by pushing server data, we push the web forward
Comet: by pushing server data, we push the web forwardNOLOH LLC.
 

Ähnlich wie Securing Your API (20)

Apereo OAE - Architectural overview
Apereo OAE - Architectural overviewApereo OAE - Architectural overview
Apereo OAE - Architectural overview
 
Building mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHPBuilding mobile apps with JavaScript and PHP
Building mobile apps with JavaScript and PHP
 
Damien Tanner, Pusher
Damien Tanner, PusherDamien Tanner, Pusher
Damien Tanner, Pusher
 
OSDC 2011 | Marionette - System Control Utility by Cody Herriges
OSDC 2011 | Marionette - System Control Utility by Cody HerrigesOSDC 2011 | Marionette - System Control Utility by Cody Herriges
OSDC 2011 | Marionette - System Control Utility by Cody Herriges
 
Web micro-framework BATTLE!
Web micro-framework BATTLE!Web micro-framework BATTLE!
Web micro-framework BATTLE!
 
HTML5 WebSockets
HTML5 WebSocketsHTML5 WebSockets
HTML5 WebSockets
 
Solr installation
Solr installationSolr installation
Solr installation
 
Apereo OAE - Bootcamp
Apereo OAE - BootcampApereo OAE - Bootcamp
Apereo OAE - Bootcamp
 
Connecting Any Web Services
Connecting Any Web ServicesConnecting Any Web Services
Connecting Any Web Services
 
High Volume Web API Management with WSO2 ESB
High Volume Web API Management with WSO2 ESBHigh Volume Web API Management with WSO2 ESB
High Volume Web API Management with WSO2 ESB
 
Http front-ends
Http front-endsHttp front-ends
Http front-ends
 
Building high traffic http front-ends. theo schlossnagle. зал 1
Building high traffic http front-ends. theo schlossnagle. зал 1Building high traffic http front-ends. theo schlossnagle. зал 1
Building high traffic http front-ends. theo schlossnagle. зал 1
 
Service-Oriented Design and Implement with Rails3
Service-Oriented Design and Implement with Rails3Service-Oriented Design and Implement with Rails3
Service-Oriented Design and Implement with Rails3
 
Apache Sever Technology By Greg Williams
Apache Sever Technology By Greg WilliamsApache Sever Technology By Greg Williams
Apache Sever Technology By Greg Williams
 
Oct meetup open stack 101 clean
Oct meetup open stack 101 cleanOct meetup open stack 101 clean
Oct meetup open stack 101 clean
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service Design
 
MySQL DW Breakfast
MySQL DW BreakfastMySQL DW Breakfast
MySQL DW Breakfast
 
Why RESTful Design for the Cloud is Best
Why RESTful Design for the Cloud is BestWhy RESTful Design for the Cloud is Best
Why RESTful Design for the Cloud is Best
 
Phase two of OpenAthens SP evolution including OpenID connect option
Phase two of OpenAthens SP evolution including OpenID connect optionPhase two of OpenAthens SP evolution including OpenID connect option
Phase two of OpenAthens SP evolution including OpenID connect option
 
Comet: by pushing server data, we push the web forward
Comet: by pushing server data, we push the web forwardComet: by pushing server data, we push the web forward
Comet: by pushing server data, we push the web forward
 

Mehr von Jason Austin

Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to ElasticsearchJason Austin
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented ArchitectureJason Austin
 
Preparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile WorldPreparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile WorldJason Austin
 
Object Oriented PHP5
Object Oriented PHP5Object Oriented PHP5
Object Oriented PHP5Jason Austin
 
UNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On CampusUNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On CampusJason Austin
 
Lean mean php machine
Lean mean php machineLean mean php machine
Lean mean php machineJason Austin
 
Web Hosting Pilot - NC State University
Web Hosting Pilot - NC State UniversityWeb Hosting Pilot - NC State University
Web Hosting Pilot - NC State UniversityJason Austin
 
Tweeting For NC State University
Tweeting For NC State UniversityTweeting For NC State University
Tweeting For NC State UniversityJason Austin
 
Pathways Project on NCSU Web Dev
Pathways Project on NCSU Web DevPathways Project on NCSU Web Dev
Pathways Project on NCSU Web DevJason Austin
 

Mehr von Jason Austin (11)

Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to Elasticsearch
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented Architecture
 
Design patterns
Design patternsDesign patterns
Design patterns
 
Preparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile WorldPreparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile World
 
Object Oriented PHP5
Object Oriented PHP5Object Oriented PHP5
Object Oriented PHP5
 
UNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On CampusUNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On Campus
 
RSS Like A Ninja
RSS Like A NinjaRSS Like A Ninja
RSS Like A Ninja
 
Lean mean php machine
Lean mean php machineLean mean php machine
Lean mean php machine
 
Web Hosting Pilot - NC State University
Web Hosting Pilot - NC State UniversityWeb Hosting Pilot - NC State University
Web Hosting Pilot - NC State University
 
Tweeting For NC State University
Tweeting For NC State UniversityTweeting For NC State University
Tweeting For NC State University
 
Pathways Project on NCSU Web Dev
Pathways Project on NCSU Web DevPathways Project on NCSU Web Dev
Pathways Project on NCSU Web Dev
 

Kürzlich hochgeladen

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Securing Your API

  • 1. Securing Your API Jason Austin - @jason_austin - jfaustin@gmail.com Thursday, May 26, 2011
  • 2. A Quick Rundown • API overview • API methodologies • Security methodologies • Best practices Thursday, May 26, 2011
  • 3. API vs. Web Service • API = Application Programming Interface • Web Service = API that operates over HTTP • In this presentation, API == Web Service Thursday, May 26, 2011
  • 4. Why Create An API • Extend your product reach • Encourage mashups • Expose your data programmatically • Connect with developers Thursday, May 26, 2011
  • 5. API Success Stories • Twitter • Foursquare • Facebook Thursday, May 26, 2011
  • 6. Popular Methodologies • REST • XML-RPC • SOAP Thursday, May 26, 2011
  • 7. REST Service • Representational State Transfer • Architecture, not a standard • HTTP-based Thursday, May 26, 2011
  • 8. RESTful • Client-Server • Self-contained Requests (Stateless) • Cacheable • Named, Layered Resources http://brewerydb.com/api/breweries/2324 http://brewerydb.com/api/beers/435 Thursday, May 26, 2011
  • 9. REST over HTTP • GET - Read-only, for retrieving information • POST - Creating a new resource • PUT - Updating an existing resource • DELETE - Deleting an existing resource Thursday, May 26, 2011
  • 10. REST Security • None built in • Encryption over HTTPS • Left to the implementer • Error handling left to implementer Thursday, May 26, 2011
  • 11. SOAP Service • Simple Object Access Protocol • XML-based • Uses GET for read, POST for write • W3C Specification for sending and receiving messages Thursday, May 26, 2011
  • 12. SOAP Security • Nothing provided in spec • WS-Security • Extension to SOAP spec • Provided as a guide for securing SOAP services Thursday, May 26, 2011
  • 13. WS-Security • Guidelines for solving 3 problems • Identify and authenticate a client • Ensure integrity of the message • Curtail eavesdropping while in transit • Defines mechanisms as opposed to actual protocols • http://www.oasis-open.org/committees/wss/ Thursday, May 26, 2011
  • 14. XML-RPC Service • XML Remote Procedure Call • XML-based • Uses HTTP-POST • Spec published by UserLand Software in ~1998 Thursday, May 26, 2011
  • 15. XML-RPC • Uses XML to specify a method and parameters • Simple data structures, no objects • Arrays and Structs most complex Thursday, May 26, 2011
  • 16. XML-RPC Security • None in the spec • Encryption over HTTPS • Security left to the implementer • Error handling - <fault> base response element Thursday, May 26, 2011
  • 17. Security Mechanisms • OAuth • BasicAuth • API Keys Thursday, May 26, 2011
  • 18. OAuth 1.0 Think of it as a valet key for your internet accounts... Open standard for API access delegation RFC 5849 - The OAuth 1.0 Protocol Published April 2010 Thursday, May 26, 2011
  • 19. OAuth 1.0 Players • Service Provider (Server)- Has the information you want • Consumer (Client) - Wants the information from the Service Provider • User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider Thursday, May 26, 2011
  • 21. Benefits of OAuth 1.0 • Applications don’t need a user’s password • Power in the hands of the user • Secure handshake • Doesn’t require SSL • Many libraries available Thursday, May 26, 2011
  • 22. OAuth 1.0 Pitfalls • Signatures based on complex cryptography • Server-side implementation is complex Thursday, May 26, 2011
  • 23. OAuth - Roll Your Own • Consumer Registration and Management • User pass-through, grant access • Consumer access management by User • Token storage and generation • 2-legged vs. 3-legged Thursday, May 26, 2011
  • 24. OAuth 2.0 - Coming Soon • Removes signature requirement except on token acquisition • Requires SSL • Single security token, no signature required • Guidelines for use with Javascript and applications with no web browser Thursday, May 26, 2011
  • 25. More Info on OAuth • OAuth Spec http://oauth.net/ • OAuth 2.0 Information http://oauth.net/2/ • Lorna’s OAuth Blog Series http://www.lornajane.net/ Thursday, May 26, 2011
  • 26. BasicAuth • Passes a username and password with the request • Defined by the HTTP specification Thursday, May 26, 2011
  • 27. BasicAuth Do’s • SSL is a must • Username / Password is transmitted in cleartext • Base64 encoded, but not encrypted • Basic > Digest • Basic assumes authentication is required • Digest requires extra transfer for nonce Thursday, May 26, 2011
  • 28. BasicAuth Pros • Client requests are easy • Part of nearly every HTTP request library • Server setup is easy • Use existing BasicAuth credentials Thursday, May 26, 2011
  • 29. BasicAuth Cons • Requires a username and password for a user • Credentials are not, by default, encrypted • Requires username and password to be embedded in client code Thursday, May 26, 2011
  • 30. Access Keys • Not based on any standard • Implementation requirements are up to the service provider • Keys -> signatures Thursday, May 26, 2011
  • 31. Access Key Basics • Part of URL http://pintlabs.com/api?key=23sdbk32 • Sign request with key instead of passing it in URL • Use params + shared secret as signature Thursday, May 26, 2011
  • 32. Signed Request Workflow ?key=val Client sign ?key=val&signature=23kcwej323 vje48hvn4 ?key=val&signature=23kcwej323 Server ?key=val sign vje48hvn4 23kcwej323 == 23kcwej323 Thursday, May 26, 2011
  • 33. Access Keys Pros • Easy to generate keys and distribute them • Typically removes the need to transfer username and password in raw form • Signed requests prevents altering parameters Thursday, May 26, 2011
  • 34. Access Keys Cons • Unsigned • Must embed them in code • SSL is not required, so will (by default) transfer in plaintext • Signed • Encryption is scary....ish Thursday, May 26, 2011
  • 35. Best Practices for Keys • Use signed requests over unsigned • One key per application per developer • Require username in headers Thursday, May 26, 2011
  • 36. General Best Practices • Rate Limiting • Access Control • Error Handling • SSL Layer • API Domain “Stupid is as Stupid Does” - Gump Thursday, May 26, 2011
  • 37. Rate-Limiting • Keeps API access in check • Authenticated and Unauthenticated calls should be subject to rate limiting • Best practice • Have a standard, application wide rate limit • Allow that limit to be overridden on a per user, per application basis Thursday, May 26, 2011
  • 38. Rate-Limiting Best Practices • Authenticated • Have a standard, application wide rate limit • Allow that limit to be overridden on a per user, per application basis • Unauthenticated • Based on domain or IP address • Allow limit to be overridden as well Thursday, May 26, 2011
  • 39. Access Control • Treat API endpoints just as service endpoints in your application • Have a standard API access site wide • Allow override on a per-user, per- application basis. • Allows you to roll out features to a select group or user Thursday, May 26, 2011
  • 40. Error Handling • Set appropriate HTTP headers • Provide viable, valid error messages • Log errors for the API too • Have a standard error response object for all methods, including authentication Thursday, May 26, 2011
  • 41. SSL Layer • Encrypts all traffic to and from your API • Can cause performance hit • ~10-15% in trials • Depending on protocol, should be a requirement Thursday, May 26, 2011
  • 42. API Domain • Use sub-domain • Can move to separate webserver • Handle traffic requirements Thursday, May 26, 2011
  • 43. Questions? Jason Austin - @jason_austin - jfaustin@gmail.com http://joind.in/3427 Thursday, May 26, 2011