Presented by Vivek Thuravupala, Software Engineer @ Postman in joint meetup in Walmart on 28th April, BLR.
Abstract: We'll talk about the exploding usage of APIs and why security shouldn't be an afterthought when it comes to designing and building APIs. We'll also run through some concrete examples illustrating common pitfalls encountered while design/building.
About the speaker: Vivek builds stuff for the web, and he's been swimming around in various tech ponds since he was a kid. At Postman, he keeps an eye on a bunch of the user-facing products.
8. Application & API
Collation, Transformation...
Data-source
Database, cache, 3rd Party
API, etc.
Client
API Consumption & Presentation
9. Let’s build a GitHub proxy API!
Application & API
Collation, Transformation...
Data-source
Database, cache, 3rd Party
API, etc.
Client
API Consumption & Presentation
11. ! Why build this API?
! Who is your consumer?
! What can they do with your API?
! Public consumption of private resources
! An open public-facing website
! Fetch activity frequency
Planning
12. ! Why build this API?
! Who is your consumer?
! What can they do with your API?
! Public consumption of private resources
! An open public-facing website
! Fetch activity frequency
Planning
13. ! Public consumption of private resources
! An open public-facing website
! Fetch activity frequency
! Why build this API?
! Who is your consumer?
! What can they do with your API?
Planning
27. Security Blanket
! Secure
○ Transmit only over HTTPS
! HttpOnly
○ Disallow access via JS
! SameSite (Chrome, Opera)
○ Useful against CSRF
Reference: MDN
Set-Cookie Flags
Chrome 1+, Edge, FF 3+, IE 9, Safari 5+
28. Security Blanket
! CSP
! X-XSS-Options
! X-Content-Type-Options
! Referrer-Policy
! Subresource Integrity
Just to note, if you’re serving a UI and not just an API.
Reference: MDN
43. “A forcing function is an aspect of a
design that prevents the user from
taking an action without consciously
considering information relevant to
that action.”
Security Blanket
Reference: Interaction Design Foundation
Architecture as a forcing function
45. Incoming Request Controller
Application logic, doesn’t
have to worry about
headers at all.
Outgoing Policy
Adds all security headers
by default. Can be
configured with a list if
necessary.
Response
Response has headers
by default. It’s more work
to get rid of them.
Architecture as a forcing function
46. ! Guidelines, not rules
! Do your own research
! Security comes in layers
Wrapping up