Secure Your REST API (The Right Way)

Les Hazlewood @lhazlewood
Apache Shiro PMC Chair
CTO, Stormpath
stormpath.com
Secure your REST API
(the right way)

.com
• User Management and Authentication
API
• Security for your applications
• User security workflows
• Security best practices
• Developer tools, SDKs, libraries

... is all about the headers
Learn more at Stormpath.com

1. Request
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com

2. Challenge Response
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm=“name”

3. Resubmit Request
Host: api.acme.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Authorization Header Format
Host: api.acme.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Scheme Name Scheme-specific Value
sp

4. Successful Response
HTTP/1.1 200 OK
Content-Type: application/json
...
{
“email”: “jsmith@gmail.com”,
“givenName”: “Joe”,
“surname”: Smith”,
...
}

Example: Oauth 1.0a
GET /accounts/1234 HTTP/1.1
Host: api.acme.com
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131200",
oauth_nonce="wIjqoS",
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"

Example: Oauth 2
Host: api.acme.com
Authorization: Bearer mF_9.B5f-4.1JqM

Example: Oauth 2 MAC
Host: api.acme.com
Authorization: MAC id="h480djs93hd8",
nonce="264095:dj83hs9s”,
mac="SLDJd4mg43cjQfElUs3Qub4L6xE="

Ok, now that’s out of the way
• Please avoid Basic Authc if you can.
• Favor HMAC-SHA256 digest algorithms over
bearer token algorithms
• Use Oauth 1.0a or Oauth 2 (preferably MAC)
• Only use a custom scheme if you really,
really know what you’re doing.

Status Codes

401 vs 403
• 401 “Unauthorized” really means
Unauthenticated
“You need valid credentials for me to respond to
this request”
• 403 “Forbidden” really means Unauthorized
“I understood your credentials, but so sorry, you’re
not allowed!”

HTTP Authorization

HTTP Authorization
• After authc, perform authz
• Filter requests before invoking MVC layer
• Blanket security policies
• Per-URI customization

HTTP Authorization: OAuth
• OAuth is an authorization protocol, NOT
an authentication or SSO protocol.
• “Can I see User X’s email address please?”
NOT:
• “I want to authenticate User X w/ this
username and password”
• People still try to use OAuth for
authentication (OpenId Connect)

HTTP Authorization: OAuth
• When OAuth 2 is a good fit:
• If your REST clients do NOT own the data
they are attempting to read
• When Oauth 2 isn’t as good of a fit:
• If your REST client owns the data it is
reading
• Could still be fine if you’re willing to incur
some additional overhead

HTTP Authorization: JWT
• JWT = JSON Web Token
• Very new spec, but clean & simple
• JWTs can be digitally signed and/or
encrypted, and are URL friendly.
• Can be used as Bearer Tokens and for SSO

Best Practices

API Keys

API Keys, Not Passwords
• Entropy
• Independence
• Speed
• Reduced Exposure
• Traceability
• Rotation

API Keys cont’d
• Authenticate every request
• Encrypt API Key secret values at rest.
• Avoid Sessions (not RESTful)
• Authc every request + no sessions = no
XSRF attacks

Identifiers

Identifiers
/accounts/x2b4jX3l31uiL
Good
Not So Good
/accounts/1234
Why?

Identifiers
• Should be opaque
• Secure Random or Random/Time UUID
• URL-friendly ‘Base62’ encoding
• Avoid sequential numbers:
• distribute ID generation load
• mitigate fusking attacks

Query Injection

Query Injection
Vulnerable URL:
foo.com/accounts?acctId=‘ or ‘1’=‘1
String query =
“select * from accounts where acct_id = ‘” +
request.getParameter(“acctId”) + “’”;
Solution
• Use Parameterized Query API (Prepared
Statements).
• If not available, escape special chars

Redirects and Forwards

Redirects and Forwards
• Avoid redirects and forwards if possible
• If used, validate the value and ensure
authorized for the current user.
foo.com/redirect.jsp?url=evil.com
foo.com/whatever.jsp?fwd=admin.jsp

TLS

TLS
• Use TLS for everything
• Once electing to TLS:
– Never revert
– Never switch back and forth
• Cookies: set the ‘secure’ and ‘httpOnly’
flags for secure cookies
• Backend/infrastructure connections use
TLS too

TLS Cont’d
• Configure your SSL provider to only support
strong (FIPS 140-2 compliant) algorithms
• Use Cipher Suites w/ Perfect Forward
Secrecy!
–e.g.
ECDHE_RSA_WITH_AES_256_GCM_SHA256
• Keep your TLS certificates valid
• But beware, TLS isn’t foolproof
– App-level encryption + TLS for most secure
results

Configuration

Configuration
• CI: Security Testing
• Security Patches
• Regularly scan/audit
• Same config in Dev, Prod, QA*
– (Docker is great for this!)
• Externalize passwords/credentials
* Except credentials of course

Storage

Storage
• Sensitive data encrypted at rest
• Encrypt offsite backups
• Strong algorithms/standards
• Strong encryption keys and key mgt
• Strong password hashing
• External key storage
• Encrypted file system (e.g. eCryptfs)

Thank You!
• les@stormpath.com
• Twitter: @lhazlewood
• https://stormpath.com

.com
• Free for developers
• Eliminate months of development
• Automatic security best practices
Sign Up Now: Stormpath.com

Secure Your REST API (The Right Way)

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Secure Your REST API (The Right Way)

Similar a Secure Your REST API (The Right Way) (20)

Más de Stormpath

Más de Stormpath (20)

Último

Último (20)

Secure Your REST API (The Right Way)