API Security Best Practices

What is an Application Programming Interface (API)?

An API is a communication protocol that allows two applications to exchange data over an HTTP connection.  APIs are how web applications communicate with one another.  Web applications are coded in many different programming languages.  This creates a barrier for information exchange.  The API serves as a common language and allows these applications to communicate to one another. 

There are two main types of API architectures.  Simple Object Access Protocol (SOAP) is based primarily on Extensible Markup Language (XML).  Every web application can understand XML but SOAP creates a set of specific guidelines for its use.  This allows applications to exchange XML data over an application level protocol, usually an HTTP connection.  Since SOAP uses application protocols, it is platform independent.  SOAP uses a security envelop to encase messages before transmission with its built in security protocol WS-Security.  This leads to excellent data security if configured properly. 

Representational State Transfer (REST) is the second main API.  Unlike SOAP, it is not a protocol but a software architecture.  A software architecture is less defined than a protocol in its communication methods.  In fact, multiple standards exist for REST APIs, each catering to specific usage.  APIs that use the REST architecture are known as RESTful APIs. 

Since it is an architecture, not a protocol, RESTful APIs can use multiple data formats to include HTML, JSON, and XML.  This flexibility is one of the main reasons for REST’s popularity.  RESTful APIs are also lightweight and require less bandwidth and configuration than SOAP.  However, there is no built in security for REST, instead communication must be encoded with either Transport Layer Security (TLS) or HTTP Secure (HTTPS). REST supports data caching, which allows RESTful APIs to use data from previous communication queries to speed up data transfers, while SOAP has no caching and requires a connection to be created from scratch every time.

Best Practices

Authentication and Authorization

Authentication is the process of correctly identifying a user.  Authorization is assigning the correct privileges to each user.  Imagine that the API is a hotel.  When a guest (the user) checks in, they present their driver’s license to the hotel staff as a method of authentication.  The hotel staff checks the driver’s license against the name of the reservation to determine if these names match, this provides authentication.  The staff then assigns the room number to the guest and explains what amenities are available during their stay.  The hotel room and the amenities are the level of authorization, or the privileges being granted to the guest (user) during their stay (or session). 

It is important to properly authenticate users with each API and several authentication methods exist for APIs.  An API key is a unique value that is generated for each user.  When users wish to access an API, they present the API key.  The main drawback here is that anyone with the key is granted access.  So, transmission confidentiality should be created with the use of HTTPS using TLS.  Tokens are another viable option, to include JSON Web Tokens (JWT).  These tokens are JSON objects that are signed with a security key, either symmetric or asymmetric.

OAuth is an open protocol for authentication and is commonly used throughout the web.  OAuth allows tokens to be issued to clients from authentication servers.  These tokens are then used to authenticate each user.  Because it is open source, OAuth can be tailored to meet an organization’s specific needs.


With RESTful APIs, some form of transmission encryption needs to be used to ensure data is not sent over clear text.  HTTPS secured with TLS (formerly known as SSL) is the most common choice and provides adequate protection.  HTTPS is simply and HTTP connection secured with TLS.  By encrypting the entire connection, the contents are protected from interception and unauthorized disclosure.    

SOAP includes WS-Security, which can be configured to encrypt communication.  Remember, SOAP uses this security envelop to encase the message.  Multiple encryption methods are available to SOAP including AES128, 192 and 256.  AES, or Advanced Encryption Standard, only encrypts data at rest, in this case the contents of the SOAP message.  For additional security, it is recommended to encrypt the transmission as well using TLS.

API Gateways

An API Gateway is a method of consolidating APIs into an easy to configure platform.  Companies that utilize multiple applications may wish to secure their API traffic with an API Gateway.  It basically serves as the sole point of entry into an API network.  So, a company with several APIs may wish to consolidate all user connection requests to one managed point, this is where an API gateway comes in. 

The API Gateway provides additional security functionality due to this funneling approach.  Traffic can be scanned and monitored for malicious activity before reaching the application.  Also, authentication and authorization can be handled directly by the gateway.  Input validation will help protect against attacks such as Cross Site Scripting or Injection.  The gateway can monitor and optimize communication to and from the applications to save time, bandwidth, and money. 

API Testing

Proper security testing is a critical piece of API security whether the API is developed by the owning organization or adopted from an existing API. 

APIs, particularly RESTful APIs, are often copied and reused.  Reused APIs are known as “chained APIs”.  These are particularly concerning from a security standpoint.  To properly secure these APIs, the source code must be examined for security flaws and possible attack vectors.  This requires knowledge of the API itself and a deep understanding of security, two skills that are hard to find in the workforce.  This makes proper API testing of chained APIs very rare, creating multiple opportunities for attackers to exploit security weaknesses. 

Applications that are developed by the organization are best secured by incorporating security into the development process.  This requires a dedicated approach to security by the development team and management, as well as a security practitioner with knowledge of software development.  Fitting all of these pieces into place can be quite challenging for an organization, which is one of the reasons for the vast number of API security flaws today. 


Proper API security will ensure that user data is protected bot at the application and in transit.  Without proper data security an organization is open to unauthorized data disclosures.  These data breaches carry enormous repercussions to reputation and user trust.  Though, through diligent security practices and an understanding of APIs, data can be properly secured. 

Related Articles