Strong API security starts at the design stage to ensure that full consideration of Authentication and authorization and Data privacy requirements, minimize attack surfaces and threat modeling activity ensures all attack surfaces are understood before implementation.
2/- Build
The construction of API back-ends is a critical factor in ensuring API security. For each of the respective frameworks (i.e., Spring Boot, ASPNET Core, etc.), developers should consult the specific security recommendations.
3/- Test
A key benefit of a design-first approach is the ability to perform much of the downstream API testing in an automated manner. Popular tools are available to conduct API functional testing, performance and load testing, and security testing.
4/- Protect
Despite the best intent during the previous lifecycle stages, certain API protections are enforced at a gateway level in line with the API traffic rather than at a code level. This includes protecting API using Gateways, WAFA, WAAPS, API Micro-firewalls.
5/- Monitoring
The final element of the API lifecycle is the proactive monitoring of APIs โ primarily to identify malicious operations, emerging threats and attacks, and service degradation.
6/- Governance
A vital aspect of API security is governance of the entire process from design to operation to ensure that all regulatory, compliance and privacy requirements are being followed. Failure to provide adequate governance can result in significant fines.
โข โข โข
Missing some Tweet in this thread? You can try to
force a refresh
2FA is a security process in which users provide two different authentication factors to verify themselves. 2FA is implemented to better protect both a userโs credentials and the resources the user can access.
Rate limiting is a process to limiting the number of request an user can make to a web server in an span of time. This can be achieved by implementing IP based, Session Based rate limits on web server.
Bypasses ๐
- Where to Look for Rate Limit Bugs
Place like :
- Login/Signup pages
- Register Pages
- 2FA codes
- Confirmation Codes
and any other request which if bruteforce will allow attacker to achieve anything malicious should be check for "No Rate Limit" issue.
An insecure CORS configuration allows any website to trigger requests with user credentials to the target application and read the responses thus enabling attackers to perform privileged actions or to retrieve potential sensitive information