English | MP4 | AVC 1280×720 | AAC 44KHz 2ch | 139 Lessons (20h 12m) | 2.33 GB
A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.
APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs—including microservices and cloud-native applications—demand a comprehensive, multi-layered approach to security for both private and public-facing APIs.
API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you’re done, you’ll be able to create APIs that stand up to complex threat models and hostile environments.
What’s inside
- Authentication
- Authorization
- Audit logging
- Rate limiting
- Encryption
A comprehensive guide to designing and implementing secure services. A must-read book for all API practitioners who manage security.
Gilberto Taccari, Penta
Table of Contents
1 Part 1. Foundations
2 What is API security
3 What is an API
4 API security in context
5 Elements of API security
6 Environments and threat models
7 Security mechanisms
8 Audit logging
9 Secure API development
10 Implementation overview
11 Developing the REST API
12 Injection attacks
13 Preventing injection attacks
14 Input validation
15 Producing safe output
16 Preventing XSS
17 Securing the Natter API
18 Rate-limiting with Guava
19 Authentication to prevent spoofing
20 Creating the password database
21 Authenticating users
22 Using encryption to keep data private
23 Audit logging for accountability
24 Access control
25 Adding new members to a Natter space
26 Part 2. Token-based authentication
27 Session cookie authentication
28 Serving the HTML from the same origin
29 Drawbacks of HTTP authentication
30 Token-based authentication
31 Session cookies
32 Cookie security attributes
33 Preventing Cross-Site Request Forgery attacks
34 Hash-based double-submit cookies
35 Double-submit cookies for the Natter API
36 Building the Natter login UI
37 Implementing logout
38 Modern token-based authentication
39 Adding CORS headers to the Natter API
40 Tokens without cookies
41 The Bearer authentication scheme
42 Storing tokens in Web Storage
43 Updating the CORS filter
44 Hardening database token storage
45 Protecting sensitive attributes
46 Self-contained tokens and JWTs
47 JSON Web Tokens
48 The JOSE header
49 Generating standard JWTs
50 Encrypting sensitive attributes
51 Authenticated encryption with NaCl
52 Encrypted JWTs
53 Using a JWT library
54 Using types for secure API design
55 Handling token revocation
56 Part 3. Authorization
57 OAuth2 and OpenID Connect
58 The difference between scopes and permissions
59 Introducing OAuth2
60 The Authorization Code grant
61 Hardening code exchange with PKCE
62 Validating an access token
63 Securing the HTTPS client configuration
64 JWT access tokens
65 Encrypted JWT access tokens
66 Single sign-on
67 Hardening OIDC
68 Identity-based access control
69 LDAP groups
70 Role-based access control
71 Static roles
72 Attribute-based access control
73 Implementing ABAC decisions
74 Distributed policy enforcement and XACML
75 Capability-based security and macaroons
76 Capabilities and REST
77 Capabilities as URIs
78 Using capability URIs in the Natter API
79 HATEOAS
80 Capability URIs for browser-based clients
81 Hardening capability URIs
82 Macaroons Tokens with caveats
83 A macaroon token store
84 Third-party caveats
85 Part 4. Microservice APIs in Kubernetes
86 Microservice APIs in Kubernetes
87 Deploying Natter on Kubernetes
88 Building H2 database as a Docker container
89 Deploying the database to Kubernetes
90 Building the Natter API as a Docker container
91 The link-preview microservice
92 Preventing SSRF attacks
93 DNS rebinding attacks
94 Securing communications with TLS
95 Using a service mesh for TLS
96 Locking down network connections
97 Securing incoming requests
98 Securing service-to-service APIs
99 The OAuth2 client credentials grant
100 The JWT bearer grant for OAuth2
101 Generating the JWT
102 Mutual TLS authentication
103 Verifying client identity
104 Using a service mesh
105 Certificate-bound access tokens
106 Managing service credentials
107 Key and secret management services
108 Avoiding long-lived secrets on disk
109 Key derivation
110 Service API calls in response to user requests
111 OAuth2 token exchange
112 Chapter 11.OAuth2 token exchange
113 Part 5. APIs for the Internet of Things
114 Securing IoT communications
115 Datagram TLS
116 Datagram TLS
117 Datagram TLS
118 Cipher suites for constrained devices
119 Cipher suites for constrained devices
120 Cipher suites for constrained devices
121 Pre-shared keys
122 The PSK client
123 End-to-end security
124 COSE
125 Alternatives to COSE
126 Misuse-resistant authenticated encryption
127 Misuse-resistant authenticated encryption
128 Key distribution and management
129 Ratcheting for forward secrecy
130 Post-compromise security
131 Securing IoT APIs
132 Device certificates
133 End-to-end authentication
134 OSCORE
135 Avoiding replay in REST APIs
136 OAuth2 for constrained environments
137 OAuth2 for constrained environments
138 Offline access control
139 Offline authorization
Resolve the captcha to access the links!