Security Considerations for REST API Developers

Below are a few important security considerations relevant for REST API developers.

1. Use TLS.
2. Implement authentication.
3. Enforce authorization/rbac (role based access control).
4. Don’t use cookies. Use custom header for Authentication.
5. Don’t run service as root user.
6. Don’t use CORS. If you must use CORS, restrict the allowed headers, the allowed methods, don’t allow credentials passing and if possible, restrict the origin.
7. Don’t make any state changes in a GET request.
8. Always specify content type in response. Preferably, only use json (or xml).
9. If you use any OSS, update it regularly.
10. Don’t accept any sensitive data in query parameters in URL.
11. Make sure your builds are reproducible (fix your dependencies). For example, don’t use something like npm or latest tag in maven, etc.
12. If you are making any connections from server side to another endpoint, always validate SSL certificates.
13. Be aware of java deserialization attacks (if you are using Java).
14. Be aware of XML issues (if you are consuming XML), e.g. use defusedxml in python.
15. Never return any secrets/passwords.
16. Never log any sensitive information such as session ids, tokens, passwords etc.
17. Be very careful when using regexes for RBAC on URLs. Never use wildcard in the beginning or middle of path.

Please take a moment to share this post: Twitter, LinkedIn. . Thank you!