Learn about APIs and how to protect them from attack.
APIs play a critical role in modern application architectures, but have increasingly become a target for attackers. Learn about common API security weaknesses and explore strategies to proactively protect APIs from attack and compromise.
APIs (Application Programming Interfaces) are fundamental to the development of modern applications, as they facilitate the ability of applications to communicate and exchange data with other applications, services, or platforms. They enable businesses to easily integrate with external platforms and third-party services and build comprehensive solutions by connecting various components. This promotes a modular approach to app development that enables developers to leverage existing services and functionality, promote code reuse, accelerate development cycles, and enhance productivity. APIs are the cornerstone of modern apps given their ability to decouple and decentralize business logic and are the mechanism used to evolve traditional applications into API-based architectures.
As with just about every other aspect of computing, API technology has changed over the past 25 years as developers have searched for ways to improve performance and reliability. Both the design philosophy and data representation of APIs have evolved and along with them the way data and traffic are secured. The timeline of popular API architectures can roughly be viewed as follows:
APIs can be categorized into several types based on their accessibility, usage, and intended audience.
APIs also expand the risk surface and specifically introduce unforeseen risk due to the nature of their interdependencies across multi-cloud architectures. This is known as API sprawl and can pose an extreme threat to the security of your API ecosystem. Like web apps, APIs are susceptible to vulnerability exploits, abuse from automated threats, denial of service, misconfiguration, and attacks that bypass authentication and authorization controls.
The increasing adoption of modern microservices architectures can exacerbate API spawl, because such architectures use large numbers of APIs for communication both to interfaces (north-south traffic) and between microservices (east-west traffic).
Tactics to fight API sprawl include:
To dive into these tactics and how to implement them, read 5 Ways to Fight API Sprawl (And Why You Should Care).
By their nature, APIs expose critical business logic and sensitive information, such as user data, authentication credentials, and financial transactions, and have increasingly become a target for attackers; in particular, the login, create account, add to cart, and money transfer functions. APIs can become entry points for attackers seeking to exploit vulnerabilities or weaknesses, or to expose underlying infrastructure and resources.
Robust API security measures are necessary to protect data from unauthorized access, manipulation, or exposure to ensure privacy and maintain the trust of users and stakeholders, as well as ensure the confidentiality, integrity, and availability of APIs.
However, since both APIs and apps are targeted by many of the same threats, security teams should consider an integrated application and API security strategy. According to the OWASP 2023 API Security Top 10, there are security risks common to both apps and APIs that bear consideration when implementing security solutions. For example:
This leads to an integrated application and API security strategy in which common functions are shared for both apps and APIs. Operating twice as many services to address the same threat or risk is inefficient and adds unneeded complexity. An integrated application and API security strategy makes better operational, financial, and architectural sense.
Key use cases for API security include the following.
Authentication and authorization are fundamental elements of API security. Authentication involves verifying the identity of users or systems trying to access an API by ensuring that the entity making the request is who it claims to be. Common authentication methods include username/password, API keys, tokens, and biometrics. Authorization determines what actions an authenticated user or system is allowed to perform within the API. This involves defining access control rules, roles, and permissions. Role-based access control (RBAC) and attribute-based access control (ABAC) are commonly used authorization models. By enforcing proper authorization checks, organizations can ensure that authenticated clients have the necessary permissions to access specific resources or perform certain actions. Granular access controls can limit access to sensitive API endpoints or data, as well as relevant objects and functions.
Open Authorization (OAuth) protocols are a key component of strong authentication and authorization practices. OAuth eliminates the need for users to share their usernames and passwords directly with third-party applications. Instead, OAuth grants access tokens that represent limited and scoped permissions, reducing the risk of credential theft and misuse. It allows API providers to define fine-grained access controls through scopes and permissions, ensuring that third-party applications can only access the specific resources and actions authorized by the user, reducing the risk of unauthorized access.
Improper implementation of authentication and authorization mechanisms can lead to multiple threats to API security, including:
Broken object level authorization. This security vulnerability occurs when an application fails to properly enforce access controls at the object or data level, allowing an attacker to manipulate or bypass authorization checks and grant unauthorized access to specific objects or data within an application. Every API endpoint that receives an ID of an object, and performs any action on the object, should implement object-level authorization checks to validate that the logged-in user has permissions to perform the requested action on the requested object.
Broken authentication. Authentication mechanisms in an API are often implemented incorrectly, allowing attackers to gain unauthorized access to user accounts or sensitive data, or perform unauthorized actions.
Broken object property level authorization. This threat occurs when an API fails to properly enforce access controls and authorization checks at the object property level. An API endpoint is vulnerable to these attacks if it exposes properties of an object that are considered sensitive and should not be read by the user, an exploit sometimes referred to as excessive data exposure. An API endpoint is also vulnerable to these attacks if it allows a user to change, add, or delete the value of a sensitive object's property, an exploit sometimes called mass assignment.
JSON Web Tokens (JWT) are an open standards method of transferring data between two parties in a compact, self-contained, and secure manner. JWTs are widely used for token-based authentication and authorization. JWTs allow the user or client to prove their identity and authorization to the API server without the need to repeatedly send credentials (for instance, username and password) with each request, which avoids exposing sensitive information over the network. This token-based approach enhances security by minimizing the exposure window for potential attacks, such as session hijacking. JWTs can be revoked and include an expiration time, after which they become invalid. This mitigates the risk of tokens being valid indefinitely.
JWT discovery and validation are crucial mechanisms for verifying the legitimacy of JWTs to prevent unauthorized access or tampering. JWT discovery involves finding and confirming the JSON-encoded public keys or certificates used for JWT verification, while JWT validation ensures that the JWT issuer matches the expected issuer for the API. This helps confirm that the token came from a trusted source.
APIs use various encryption techniques to secure data transmitted between clients and servers, ensuring the confidentiality and integrity of the information being exchanged in transit. The primary encryption protocol used to protect API requests and responses is HTTPS, which is HTTP over Secure Sockets Layer (SSL)/Transport Layer Security (TLS), which encrypts data in transit between the client and server, preventing eavesdropping and tampering from malicious third parties. SSL/TLS uses both asymmetric and symmetric encryption to protect the confidentiality and integrity of data-in-transit. Asymmetric encryption is used to establish a secure session between a client and a server, and symmetric encryption is used to exchange data within the secured session. This prevents attackers from viewing or tampering with data exchanged between two nodes, in this case between a client and an API server.
However, providing end-to-end encryption for "East-West" traffic, which refers to machine-to-machine API calls within a network or between different services or components within an organization's infrastructure, can be challenging as it requires the generation, distribution, and management of multiple encryption keys. Ensuring that the right keys are available at the right time for all communicating components is complex, particularly in large-scale environments, and can introduce latency and limit the scalability of end-to-end encryption implementations.
Input validation and sanitizing help to ensure that the data received from external sources, such as user inputs or APIs, is safe, reliable, and free from malicious content, helping to prevent injection attacks and other exploits. Validation rules define what is considered valid data. These rules can include data type checks (for instance, numeric, alphabetic, email format), length constraints, format requirements, and custom business logic. If input validation fails (that is, the data doesn't meet the defined criteria), the application rejects the input, preventing it from being processed further.
Input sanitization is the process of cleaning or filtering data to remove or neutralize potentially harmful or malicious content. Input validation and sanitization help protect systems from a range of attacks, particularly injection attacks. These occur when attackers insert untrusted or hostile data into command or query languages, or when user-supplied data is not validated, filtered, or sanitized by the application leading to execution of malicious commands. Injection attacks include NoSQL, OS command, LDAP, and SQL injection attacks, and also Cross-Site Scripting (XSS), in which attackers inject malicious client-side scripts, such as JavaScript, into web pages viewed by other users.
These mechanisms control the rate at which clients can make requests to the API, preventing abuse or overuse of the API, preventing excessive consumption of resources, and protecting the API from potential denial-of-service (DoS) attacks.
Audit trails and logs provide visibility into API activities by capturing detailed information about API requests and responses, including who initiated the request, what endpoints were accessed, and when the requests occurred. By analyzing logs, security teams can detect unusual or suspicious patterns of API activity, such as repeated failed login attempts, unexpected data access, or abnormal traffic spikes. These anomalies can be indicative of security incidents like hacking attempts or data breaches. In the event of a security breach or suspicious activity, audit trails and logs also serve as valuable sources of forensic data.
Security must be built into every phase of the API lifecycle – from design to development to deployment. While a discovery tool (as seen in top-down security approaches) is a necessary component, proper API security starts with the teams who are building and deploying APIs. This approach to app and API security is known as shift left, where security controls are applied early in the software development lifecycle (SDLC) and can be automated in the CI/CD pipeline.
The following best practices for API security focus on strategies and procedures to mitigate the unique vulnerabilities and security risks that APIs present.
Designing secure APIs requires robust security controls, including implementing strong authentication mechanisms to verify the identity of users and systems interacting with the API. Use authorization controls to define and enforce access rights, ensuring that only authorized entities can perform specific actions. Follow the principle of least privilege by granting users and systems the minimum permissions required to perform their tasks. Avoid excessive privileges, as they can lead to misuse or exploitation of the API. Use strong encryption, such as SSL/TLS, to protect data transmitted over the network. Validate and sanitize all input received from clients and other sources to prevent common security vulnerabilities like injection attacks.
In addition, it is critical to protect APIs from vulnerability attacks. This includes regular patch management to keep all API dependencies, libraries, and frameworks up to date to address known security weaknesses. To mitigate the risk of DDoS attacks, it’s important to implement rate limiting and throttling mechanisms to restrict the number of requests that can be made within a specified time frame. Business logic abuse is also a significant vulnerability for API security. These attacks take advantage of the underlying logic and processes of an application to achieve malicious objectives. For instance, attackers may manipulate an API's business logic to gain unauthorized access to specific functionality or resources, or exfiltrate sensitive data. Strong access controls and authorization mechanisms can help ensure that only authorized users can access specific API business logic functions.
In general, adhere to the “principle of least astonishment,” meaning when designing APIs, choose methods and conventions that are the least surprising or astonishing to the user or developer. Users of the API should have a clear understanding of how the security features work and what is expected of them. Users are less likely to make mistakes or misunderstand security features when they align with their expectations and established industry practices.
Runtime detection systems employ machine learning and behavioral analysis to establish a baseline of normal API behavior and provide alerts when the system detects deviations from this baseline. These anomalies may include unusual patterns of API requests, unexpected data flows, and unauthorized access attempts. The purpose of runtime detection is to identify and respond to security threats and vulnerabilities as they happen in real time, rather than relying on static security measures applied during development or deployment.
API gateways serve as a protective layer in an API ecosystem by providing a centralized point of control, security, and management for API traffic. They act as a security and management layer that shields the underlying API infrastructure from many common threats and operational challenges, including enforcing authentication and authorization policies, and traffic filtering, rate limiting, and throttling to prevent API abuse. Because API gateways capture detailed logs of API traffic and activities, they also provide real-time logging and monitoring capabilities, which can be critical for auditing or investigation of incidents.
CORS is a set of security policies implemented by web browsers to control and manage cross-origin (i.e., between different domains or origins) requests made by web applications using client-side technologies like JavaScript. CORS works by enforcing a set of HTTP headers that govern how a web server should respond to cross-origin requests. CORS is essential for ensuring web security while allowing web pages to request and interact with resources from APIs, web services, or assets hosted on other domains.
When securing APIs for exposure on the Internet, be sure to use CORS policies to control which domains are allowed to access the API, ensuring that only trusted domains can access protected resources. Avoid overly permissive settings that expose the API to Cross-Site Request Forgery (CSRF) attacks and other security risks.
Regular testing, monitoring, and software patching are essential components of a proactive API security strategy. Continuous monitoring focus areas should include scheduled vulnerability scanning and penetration testing to help identify weaknesses, vulnerabilities, and misconfigurations in the API, while static code analysis and dynamic application security testing (DAST), assess the API codebase and runtime behavior for security weaknesses. Regularly update software components used in the API stack, including operating systems, web servers, libraries, and frameworks, to address known vulnerabilities, as unpatched software can be a prime target for attackers.
Robust API security is essential for e-commerce companies and payment gateway platforms due to the volume of sensitive data and financial transactions they process. E-commerce businesses employ APIs at most customer touchpoints, including login, product search and display, shopping carts, shipping charge estimates, and payment processing. In addition, APIs also empower businesses to enhance customer experiences, from recommending new purchases for past customers, tracking reviews and ratings, to interactions with chatbots.
Because APIs serve as the bridge between mobile apps and various services, data sources, and third-party platforms, API security is critically important for mobile app integration. Mobile apps often need to exchange data with backend servers or external services via APIs, which provide a structured way for apps to request and receive data. Ensuring the secure interaction of mobile apps with APIs is vital for preventing security breaches, protecting authentication and access controls, and maintaining the overall security posture of both the app and the connected systems.
Healthcare data typically includes sensitive and confidential patient information, such as medical records, diagnoses, treatment plans, and billing details, and APIs facilitate the sharing of sensitive patient information among healthcare providers, payers, and other stakeholders. Ensuring the security of these APIs is crucial for protecting patient privacy, complying with healthcare regulations (such as HIPAA in the U.S.), and maintaining the integrity of healthcare data.
Robust API security is a fundamental requirement for ensuring the confidentiality, integrity, and availability of financial services data and the operation of open banking solutions. Not only does API security play a central role in enabling the secure exchange of financial data between different financial institutions, payment providers, and fintech companies, it also helps ensure compliance for data encryption and access control requirements mandated by regulations such as Payment Services Directive 2 in the EU and PCI DSS in the U.S. In addition, API security plays a key role in fraud prevention and protecting the third-party integrations that power open banking initiatives.
API security is a key element of the IoT, ensuring that IoT devices, applications, and services can communicate securely, protect data, and maintain the integrity of the entire ecosystem. IoT devices communicate with each other, edge gateways, and cloud platforms through APIs. API security ensures that data exchanged between devices and other ecosystem components remains confidential, authenticated, and protected from unauthorized access. IoT networks also often include large numbers of devices with unique identities, and API security can provide device identity management to maintain the integrity of device identities and prevent impersonation or unauthorized access. IoT ecosystems also require the ability to manage device onboarding, provisioning, updates, and secure decommissioning, and API security can help support the management of the entire device lifecycle, including secure firmware updates.
API security is a moving target, as it continues evolving in response to the changing technology landscape and ever more prolific and advanced cyber threats. Following are some key trends that may shape the future of API security.
The vast processing power of AI and ML are poised to transform API security in fundamental ways. Machine learning models can create baselines of normal API usage patterns, and deviations from these baselines and other anomalies can trigger alerts or automated responses, helping to prevent potential security breaches. AI can also identify complex attack patterns and zero-day vulnerabilities that traditional rule-based systems can miss. AI systems grow ever smarter, adapting and evolving in response to changing threats, making them more effective at countering new and sophisticated attacks, with the potential to predict potential security threats based on historical data and emerging trends. This proactive approach would allow security teams to address vulnerabilities before they are exploited.
The Zero Trust model advocates the principle of “never trust, always verify,” and when applied to API security, it means treating API endpoints and services as separate entities that require authentication and authorization for each request. Zero Trust assumes that no entity, whether inside or outside the network, should be trusted by default, and access to resources should be granted on a need-to-know basis. It involves implementing the principle of least privilege for API access, which only grants permissions necessary for specific tasks or roles, and regularly reviews and updates access permissions based on changing requirements. Zero Trust enforces continuous verification of devices, users, and applications even after the initial access is granted and reassesses trust levels based on behavior and device compliance.
Blockchain's core feature is the immutability of data once it's added to the blockchain. This ensures that data accessed through APIs is tamper-proof, making it virtually impossible for malicious actors to alter data without detection. Blockchain can also tokenize assets, access rights, or credentials, which can be used to manage and control access to APIs, simplifying access control management. APIs can use smart contracts to enforce access control policies, ensuring that only authorized users or applications can interact with specific API resources. By decentralizing data and transactions, blockchain reduces the reliance on single points of failure, such as centralized servers or databases. This makes it more challenging for attackers to compromise API security.
APIs are foundational for modern app development, as they enable systems to easily integrate with external platforms and third-party services to create comprehensive solutions by connecting multiple components. However, APIs also expand the app attack surface and specifically introduce unforeseen risk due to the nature of their interdependencies across multi-cloud architectures. Robust API security measures are necessary to protect APIs from attack and compromise.
F5 offers solutions to ease the management and enhance the security of APIs. F5 Web Application and API Protection (WAAP) solutions defend the entirety of the modern app attack surface with comprehensive protections that include WAF, L3-L7 DDoS mitigation, and bot defense to protect against automated threats and fraud. The distributed platform makes it simple to deploy consistent policies and scale security across your entire estate of apps and APIs regardless of where they’re hosted.
F5 Distributed Cloud API Security protects APIs by automatically identifying all API endpoints mapped to your applications (including shadow APIs often targeted by attackers) to reduce time spent configuring and deploying API security policies. The solution employs AI and ML to monitor anomalous activities and behaviors and blocks suspicious requests and endpoints in real time. Management and visibility are made easy via Distributed Cloud API Security’s SaaS-based portal, which enables users to monitor and go deep for threat analytics, forensics, and troubleshooting of API defenses for modern applications.
F5 NGINX offers multiple solutions for securing APIs and ensuring ongoing protection, including F5 NGINX App and API Security Solutions, which reduce security breaches and limit your organization’s exposure to malicious users with comprehensive protection. Benefits include Layer 7 attack protection, end-to-end encryption, single sign-on (SSO), elliptic curve cryptography, API authentication, and DDoS mitigation.
F5 NGINX Zero Trust Security Solutions for Kubernetes Apps secure Kubernetes apps and APIs from edge to cloud without adding complexity and overhead. In addition, F5 NGINX Plus is deployable as an enterprise-grade API gateway and F5 NGINX App Protect provides WAF and DoS protection.