Ankush Jain Profile picture
Oct 12 14 tweets 4 min read
Hello world! From my 10 yrs as a dev working at scale and talking to 300+ security engineers, I have been meaning to share some dos-and-don'ts of API Security. 🤠

This is my first time posting on Twitter. Shower some love 🕺 #apisecurity #securecodingpractice #devsecops
Starting with the most common practice - API Keys 🔑. These are
- used for many 3rd party integrations
- given to clients to access data programatically
- for inter-service communications

It'd be awesome 😃 if you can add more or share any bitter experiences around API keys 🤐
0⃣/9⃣
API Keys aren't as secure as authentication tokens. Tokens like JWT are far stronger and have an expiration date by nature.
1⃣/9⃣
API Keys should be rotated periodically ♻️. This could be hard if API Keys are being used by clients. Generally, 3-month or a 6-month period is considered good.
2⃣/9⃣
Never hard code API Keys into source code 😱. This is a crime! Never hard code API Keys anywhere. Just don't do it - yea!
3⃣/9⃣
API Keys should be scoped with limited permissions ✂️. Thank your devs if they rotate the keys and associate scopes to them 🙇‍♂️
4⃣/9⃣
Use Secure Random String generators to generate your API Keys 🔒. Please no MD5 hash or java.util.Random 😰. If your random number generator doesn't have "Secure" in it, don't use it.
5⃣/9⃣
Revisit all unused API Keys every week or month (ok fine! at least once a quarter!). You'd be surprised ex-employees' keys are still active 😲!
6⃣/9⃣
Associate an expiry date with them ⚔️ - and make sure the expiry code gets invoked! API Keys with God-mode powers should have quickest expiry. More power, quicker expiry 🔫
7⃣/9⃣
Store encrypted API Key rather than plain text in the database. And to maintain the encryption key.... (you see how quickly things go recursive 😉)
8⃣/9⃣
Are you on HTTP or any other unsecured protocols? Move away from API Keys please. Any MITM can get your key 😕. Why you not on HTTPS/TLS by the way? 😐
9⃣/9⃣
OK. This is a technicality - but if you are going to enable key rotation, you should allow multiple API Keys to be active for the users. 😇

Happy API-keying ✌️
I am building @Aktodotio. If you are into API Security, fill out bit.ly/3EAuy6v for beta access to my product. I promise no spams and you won't be disappointed 😀😃

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Ankush Jain

Ankush Jain Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(