Approaches to provide security for API's


Approaches of securing Api's where we can use bearer token for authentication and authorization. we have several api's like microservice ,macro,web api,webservice,wcf service, wcfrestful service...etc. so, for all these services how we are ensuring the security as peoples are moved to cloud and definitely usage was very big and we cannot control that who is consuming and who is integrating.

The resource has not been reviewed by Editors yet. Readers are advised to use their best judgement before accessing this resource.
This resource will be reviewed shortly.
If you think this resource contain inappropriate content, please report to webmaster.
Securing APIs , every one talking about development of API using spring boot, python,.net,java...etc. but no one talks about how to secure the APIS.

Here I'm talking about security in 5 ways

BASIC

This works by providing your credentials i.e userId and password works by setting "Authorization" request header with the value as Base64Encoe(username:password)

curl -X GET \

http://localhost:808/hellow \

-H 'Authorization: Basic a12dksl32weld2sdld3d2dsd='\

-H'Postman-Token:

30befeb9-83e4-46e8-8633-cf4ad2400936'\

-H 'cache-control:no-cache'

API KEY

Random string (e.g. UUID) is assigned to each API consumer

This key is passed either as query PARAM or as a request header

usually "X-API-KEY" is used as query PARAM or request header



curl -X GET \

http://localhost:808/hellow \

-H 'Postman-Token:

30befeb9-83e4-46e8-8633-cf4ad2400936'\

-H 'X-API-KEY: 21312332133adada-1231asd-123a-123131312313' \

-H 'cache-control:no-cache'

Bearer Token

This involves giving access to the "bearer of the token" Normally we pass this in the "Authorization" request header with value as "Bearer".

Bearer token scheme was originally created as part of OAuthr2.0

curl -X GET \

http://localhost:808/hellow \

-H 'Authorization: Bearer 21231231daddadadadadadaadads'\

-H 'Postman-Token:

30befeb9-83e4-46e8-8633-cf4ad2400936'\

-H 'cache-control:no-cache'



TLS/Mutual TLS

TLS is a standard that keeps an internet connection private and checks that the data sent between client and a server, or a server and a client i.e whether it is encrypted and unmodified

Mutual TLS, also called as bi-directional TLS where both Client and Server validates the authenticity of each other.

Client Verifying the Server

The Server sends its digital x.509 certificate(and any intermediate certificates) to the client. The client verifies the server's certificate by using one of its pre-trusted root certificates. Most clients use the Microsoft or Mozilla set of trusted root certificates. At the end of ths process, the client knows the exactly who the server is.

Server verifying the client

The TLS handshake Certificate Request message is optionally sent by the server to the client. The certificate request message includes a list of distinguished names of root certificates that the server trusts.

It tell the client(DocuSign in our case) to respond with it own certificate and any needed intermediate certificates


Comments

No responses found. Be the first to comment...


  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name:
    Email: