SlideShare a Scribd company logo

Designing & Building Secure Web APIs

CodeOps Technologies LLP, profile picture
CodeOps Technologies LLP

The document presents a guide on designing and building secure web APIs, emphasizing the growing relevance and usage of APIs. It covers essential aspects such as the API lifecycle, the importance of security measures like CORS and HTTPS, and the need for proper versioning. The content encourages the integration of security at all development stages to enhance API protection and usability.

Software
Related topics:
Web Development
1 of 47
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
April 27, 2018 PRESENTED BY Designing & Building Secure Web APIs Vivek Thuravupala Software Engineer @ Postman
Postman, API Development Environment
Relevance
APIs have been exploding. THOUSANDS OF APIs!
So has API usage. 15B+ 10B+ 7B+ Average Daily API Calls (2016) Source: Programmable Web
The API Lifecycle
Designing & Building Secure Web APIs
Application & API Collation, Transformation... Data-source Database, cache, 3rd Party API, etc. Client API Consumption & Presentation 

Let’s build a GitHub proxy API! Application & API Collation, Transformation... Data-source Database, cache, 3rd Party API, etc. Client API Consumption & Presentation 

Design
! Why build this API? ! Who is your consumer? ! What can they do with your API? ! Public consumption of private resources ! An open public-facing website ! Fetch activity frequency Planning
! Why build this API? ! Who is your consumer? ! What can they do with your API? ! Public consumption of private resources ! An open public-facing website ! Fetch activity frequency Planning
! Public consumption of private resources ! An open public-facing website ! Fetch activity frequency ! Why build this API? ! Who is your consumer? ! What can they do with your API? Planning
Let’s take a quick peek at the GitHub API
TODO: Add API screenshots here
TODO: Add API screenshots here
TODO: Add API screenshots here
Application & API Collation, Transformation... Data-source Database, cache, 3rd Party API, etc. Client API Consumption & Presentation 
 Browser
Security Blanket ! CORS ! HTTPS ! Strict-Transport-Security ! Set-Cookie: SameSite, Secure, HttpOnly ! X-Frame-Options ! Hide Application/Framework Headers Leverage the ecosystem
Security Blanket Reference: MDN Cross-origin Resource Sharing Chrome 4+, Edge 12+, FF 3.5+, IE 10+, Safari 4+ https://www.origin2.com Get all emails https://www.origin1.com XHR/Fetch call
Security Blanket Reference: MDN Cross-origin Resource Sharing https://www.origin2.com https://www.origin1.com XHR/Fetch call Chrome 4+, Edge 12+, FF 3.5+, IE 10+, Safari 4+
Security Blanket Reference: MDN Cross-origin Resource Sharing https://www.origin2.com Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST https://www.origin1.com XHR/Fetch call OPTIONS POST Chrome 4+, Edge 12+, FF 3.5+, IE 10+, Safari 4+
Cross-origin Resource Sharing Security Blanket ! XMLHttpRequest , Fetch API follow same-origin policy ! Different domain, protocol, or port ! Uses a pre-flight request if necessaryChrome 4+, Edge 12+, FF 3.5+, IE 10+, Safari 4+ Reference: MDN
Security Blanket ! HTTP over TLS ! Enforced on the client ! Does not hide origin/destination IP Chrome 4+, Edge 12+, FF 4+, IE 11, Safari 7+ Reference: MDN HTTPS + HSTS
Security Blanket Reference: MDN HTTPS + HSTS Server https://www.origin1.com XHR/Fetch call, Document request GET, * Strict-Transport-Security max-age: 31536000; includeSubdomains Chrome 4+, Edge 12+, FF 4+, IE 11, Safari 7+
Security Blanket Reference: MDN HTTPS + HSTS Server https://www.origin1.com XHR/Fetch call, Document request HTTP * Chrome 4+, Edge 12+, FF 4+, IE 11, Safari 7+
Security Blanket ! Secure ○ Transmit only over HTTPS ! HttpOnly ○ Disallow access via JS ! SameSite (Chrome, Opera) ○ Useful against CSRF Reference: MDN Set-Cookie Flags Chrome 1+, Edge, FF 3+, IE 9, Safari 5+
Security Blanket ! CSP ! X-XSS-Options ! X-Content-Type-Options ! Referrer-Policy ! Subresource Integrity Just to note, if you’re serving a UI and not just an API. Reference: MDN
Resource Representation ! Decoupled representation ! Sanitized ! Leverage HTTP(s) ○ Keep real-world quirks in mind! Internal vs. External
Design, Mock, Debug ! Do it all in one place Our first priority is to get a usable API.
TODO: Add mock/test screenshots/video herehttps://www.townscript.com/e/walmart-meetup/booking
TODO: Add mock/test screenshots/video here
TODO: Add mock/test screenshots/video herehttps://www.townscript.com/e/walmart-meetup/booking
TODO: Add mock/test screenshots/video here
Versioning A quick word.
Versioning ! Twitter, 3 versions, 5 years ! Google Maps, 3 versions, 8+ years ! GitHub, 3 versions, 6+ years Try to avoid (breaking) versioning
Versioning ! Facebook Graph API ! Versions: ¯_(ツ)_/¯Try to avoid (breaking) versioning
Versioning ! Publishers want to update ASAP ! Consumers want to avoid updating ! Multiple versions = increased attack surface Try to avoid (breaking) versioning
Build
Security Blanket ! Enforce using static code analysis & testing ! Architecture as a forcing function Reference: MDN
Security Blanket ! Lint for security ! Test for security ! Make it harder to be insecure Static code analysis & testing
Security Blanket Architecture as a forcing function ! The larger your team, the more difficult it is to enforce your design
“A forcing function is an aspect of a design that prevents the user from taking an action without consciously considering information relevant to that action.” Security Blanket Reference: Interaction Design Foundation Architecture as a forcing function
Security Blanket ! Make it much harder to be insecure Architecture as a forcing function
Incoming Request Controller Application logic, doesn’t have to worry about headers at all. Outgoing Policy Adds all security headers by default. Can be configured with a list if necessary. Response Response has headers by default. It’s more work to get rid of them. Architecture as a forcing function
! Guidelines, not rules ! Do your own research ! Security comes in layers Wrapping up
Thank You! @godfrzero @postmanclient

More Related Content

PDF
Java Cloud and Container Ready
CodeOps Technologies LLP
 
PPTX
Advanced Postman for Better APIs - Web Summit 2018 - Cisco DevNet
Cisco DevNet
 
PPTX
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
PPTX
DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...
Cisco DevNet
 
PDF
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
PDF
Operating Docker
Jen Andre
 
PDF
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
 
PDF
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
Java Cloud and Container Ready
CodeOps Technologies LLP
 
Advanced Postman for Better APIs - Web Summit 2018 - Cisco DevNet
Cisco DevNet
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...
Cisco DevNet
 
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
Operating Docker
Jen Andre
 
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
 
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 

What's hot (20)

PDF
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
PDF
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
PDF
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
PDF
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Matt Raible
 
PDF
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
PDF
How to debug IoT Agents
Fernando Lopez Aguilar
 
PPTX
Agility Requires Safety
Yevgeniy Brikman
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
PPTX
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
PDF
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
PDF
Exploiting XPC in AntiVirus
Csaba Fitzl
 
PPTX
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
PDF
Lares from LOW to PWNED
Chris Gates
 
PDF
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
PDF
Open Canary - novahackers
Chris Gates
 
PDF
WebRTC beyond Audio and Video
Silvia Pfeiffer
 
PDF
Drone Continuous Integration
Daniel Cerecedo
 
PDF
Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...
Codemotion
 
PDF
20+ Ways To Bypass Your Macos Privacy Mechanisms
SecuRing
 
PDF
Security in Serverless world
Yan Cui
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Matt Raible
 
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
How to debug IoT Agents
Fernando Lopez Aguilar
 
Agility Requires Safety
Yevgeniy Brikman
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
Exploiting XPC in AntiVirus
Csaba Fitzl
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Lares from LOW to PWNED
Chris Gates
 
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
Open Canary - novahackers
Chris Gates
 
WebRTC beyond Audio and Video
Silvia Pfeiffer
 
Drone Continuous Integration
Daniel Cerecedo
 
Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...
Codemotion
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
SecuRing
 
Security in Serverless world
Yan Cui
 
Ad

Similar to Designing & Building Secure Web APIs (20)

PDF
Protecting Your APIs Against Attack & Hijack
CA API Management
 
PDF
Api security-testing
n|u - The Open Security Community
 
PDF
Creating a RESTful api without losing too much sleep
Mike Anderson
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
PDF
API SECURITY
Tubagus Rizky Dharmawan
 
PDF
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
apidays
 
PDF
OWASP API Security Top 10 Examples
42Crunch
 
PPTX
API Security - Null meet
vinoth kumar
 
PPTX
Rest WebAPI with OData
Mahek Merchant
 
PDF
WebApp_to_Container_Security.pdf
Anna Pasupathy, CISSP
 
PDF
Consumer centric api design v0.4.0
mustafa sarac
 
PPTX
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
PDF
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
PPTX
Secure Coding: SSL, SOAP, and REST
Salesforce Developers
 
PPTX
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
PDF
SecDevOps for API Security
42Crunch
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
PPTX
JSFoo Chennai 2012
Krishna T
 
PDF
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
PPTX
A Starters Guide to Building APIs with Javascript
All Things Open
 
Protecting Your APIs Against Attack & Hijack
CA API Management
 
Api security-testing
n|u - The Open Security Community
 
Creating a RESTful api without losing too much sleep
Mike Anderson
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
API SECURITY
Tubagus Rizky Dharmawan
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
apidays
 
OWASP API Security Top 10 Examples
42Crunch
 
API Security - Null meet
vinoth kumar
 
Rest WebAPI with OData
Mahek Merchant
 
WebApp_to_Container_Security.pdf
Anna Pasupathy, CISSP
 
Consumer centric api design v0.4.0
mustafa sarac
 
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
Secure Coding: SSL, SOAP, and REST
Salesforce Developers
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
SecDevOps for API Security
42Crunch
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
JSFoo Chennai 2012
Krishna T
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
apidays
 
A Starters Guide to Building APIs with Javascript
All Things Open
 
Ad

More from CodeOps Technologies LLP (20)

PDF
AWS Serverless Event-driven Architecture - in lastminute.com meetup
CodeOps Technologies LLP
 
PPTX
Understanding azure batch service
CodeOps Technologies LLP
 
PDF
DEVOPS AND MACHINE LEARNING
CodeOps Technologies LLP
 
PDF
SERVERLESS MIDDLEWARE IN AZURE FUNCTIONS
CodeOps Technologies LLP
 
PPT
BUILDING SERVERLESS SOLUTIONS WITH AZURE FUNCTIONS
CodeOps Technologies LLP
 
PPTX
APPLYING DEVOPS STRATEGIES ON SCALE USING AZURE DEVOPS SERVICES
CodeOps Technologies LLP
 
PPTX
BUILD, TEST & DEPLOY .NET CORE APPS IN AZURE DEVOPS
CodeOps Technologies LLP
 
PPTX
CREATE RELIABLE AND LOW-CODE APPLICATION IN SERVERLESS MANNER
CodeOps Technologies LLP
 
PPTX
CREATING REAL TIME DASHBOARD WITH BLAZOR, AZURE FUNCTION COSMOS DB AN AZURE S...
CodeOps Technologies LLP
 
PPTX
WRITE SCALABLE COMMUNICATION APPLICATION WITH POWER OF SERVERLESS
CodeOps Technologies LLP
 
PPTX
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
CodeOps Technologies LLP
 
PPTX
Deploy Microservices To Kubernetes Without Secrets by Reenu Saluja
CodeOps Technologies LLP
 
PDF
Leverage Azure Tech stack for any Kubernetes cluster via Azure Arc by Saiyam ...
CodeOps Technologies LLP
 
PDF
YAML Tips For Kubernetes by Neependra Khare
CodeOps Technologies LLP
 
PDF
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
CodeOps Technologies LLP
 
PPTX
Monitor Azure Kubernetes Cluster With Prometheus by Mamta Jha
CodeOps Technologies LLP
 
PDF
Jet brains space intro presentation
CodeOps Technologies LLP
 
PDF
Functional Programming in Java 8 - Lambdas and Streams
CodeOps Technologies LLP
 
PPTX
Distributed Tracing: New DevOps Foundation
CodeOps Technologies LLP
 
PDF
"Distributed Tracing: New DevOps Foundation" by Jayesh Ahire
CodeOps Technologies LLP
 
AWS Serverless Event-driven Architecture - in lastminute.com meetup
CodeOps Technologies LLP
 
Understanding azure batch service
CodeOps Technologies LLP
 
DEVOPS AND MACHINE LEARNING
CodeOps Technologies LLP
 
SERVERLESS MIDDLEWARE IN AZURE FUNCTIONS
CodeOps Technologies LLP
 
BUILDING SERVERLESS SOLUTIONS WITH AZURE FUNCTIONS
CodeOps Technologies LLP
 
APPLYING DEVOPS STRATEGIES ON SCALE USING AZURE DEVOPS SERVICES
CodeOps Technologies LLP
 
BUILD, TEST & DEPLOY .NET CORE APPS IN AZURE DEVOPS
CodeOps Technologies LLP
 
CREATE RELIABLE AND LOW-CODE APPLICATION IN SERVERLESS MANNER
CodeOps Technologies LLP
 
CREATING REAL TIME DASHBOARD WITH BLAZOR, AZURE FUNCTION COSMOS DB AN AZURE S...
CodeOps Technologies LLP
 
WRITE SCALABLE COMMUNICATION APPLICATION WITH POWER OF SERVERLESS
CodeOps Technologies LLP
 
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
CodeOps Technologies LLP
 
Deploy Microservices To Kubernetes Without Secrets by Reenu Saluja
CodeOps Technologies LLP
 
Leverage Azure Tech stack for any Kubernetes cluster via Azure Arc by Saiyam ...
CodeOps Technologies LLP
 
YAML Tips For Kubernetes by Neependra Khare
CodeOps Technologies LLP
 
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
CodeOps Technologies LLP
 
Monitor Azure Kubernetes Cluster With Prometheus by Mamta Jha
CodeOps Technologies LLP
 
Jet brains space intro presentation
CodeOps Technologies LLP
 
Functional Programming in Java 8 - Lambdas and Streams
CodeOps Technologies LLP
 
Distributed Tracing: New DevOps Foundation
CodeOps Technologies LLP
 
"Distributed Tracing: New DevOps Foundation" by Jayesh Ahire
CodeOps Technologies LLP
 

Recently uploaded (20)

PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
System and Network Administration Chapter 2
jaramharo
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 

Designing & Building Secure Web APIs

  • 1. April 27, 2018 PRESENTED BY Designing & Building Secure Web APIs Vivek Thuravupala Software Engineer @ Postman
  • 5. So has API usage. 15B+ 10B+ 7B+ Average Daily API Calls (2016) Source: Programmable Web
  • 8. Application & API Collation, Transformation... Data-source Database, cache, 3rd Party API, etc. Client API Consumption & Presentation 

  • 9. Let’s build a GitHub proxy API! Application & API Collation, Transformation... Data-source Database, cache, 3rd Party API, etc. Client API Consumption & Presentation 

  • 11. ! Why build this API? ! Who is your consumer? ! What can they do with your API? ! Public consumption of private resources ! An open public-facing website ! Fetch activity frequency Planning
  • 12. ! Why build this API? ! Who is your consumer? ! What can they do with your API? ! Public consumption of private resources ! An open public-facing website ! Fetch activity frequency Planning
  • 13. ! Public consumption of private resources ! An open public-facing website ! Fetch activity frequency ! Why build this API? ! Who is your consumer? ! What can they do with your API? Planning
  • 14. Let’s take a quick peek at the GitHub API
  • 15. TODO: Add API screenshots here
  • 16. TODO: Add API screenshots here
  • 17. TODO: Add API screenshots here
  • 18. Application & API Collation, Transformation... Data-source Database, cache, 3rd Party API, etc. Client API Consumption & Presentation 
 Browser
  • 19. Security Blanket ! CORS ! HTTPS ! Strict-Transport-Security ! Set-Cookie: SameSite, Secure, HttpOnly ! X-Frame-Options ! Hide Application/Framework Headers Leverage the ecosystem
  • 20. Security Blanket Reference: MDN Cross-origin Resource Sharing Chrome 4+, Edge 12+, FF 3.5+, IE 10+, Safari 4+ https://www.origin2.com Get all emails https://www.origin1.com XHR/Fetch call
  • 21. Security Blanket Reference: MDN Cross-origin Resource Sharing https://www.origin2.com https://www.origin1.com XHR/Fetch call Chrome 4+, Edge 12+, FF 3.5+, IE 10+, Safari 4+
  • 22. Security Blanket Reference: MDN Cross-origin Resource Sharing https://www.origin2.com Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST https://www.origin1.com XHR/Fetch call OPTIONS POST Chrome 4+, Edge 12+, FF 3.5+, IE 10+, Safari 4+
  • 23. Cross-origin Resource Sharing Security Blanket ! XMLHttpRequest , Fetch API follow same-origin policy ! Different domain, protocol, or port ! Uses a pre-flight request if necessaryChrome 4+, Edge 12+, FF 3.5+, IE 10+, Safari 4+ Reference: MDN
  • 24. Security Blanket ! HTTP over TLS ! Enforced on the client ! Does not hide origin/destination IP Chrome 4+, Edge 12+, FF 4+, IE 11, Safari 7+ Reference: MDN HTTPS + HSTS
  • 25. Security Blanket Reference: MDN HTTPS + HSTS Server https://www.origin1.com XHR/Fetch call, Document request GET, * Strict-Transport-Security max-age: 31536000; includeSubdomains Chrome 4+, Edge 12+, FF 4+, IE 11, Safari 7+
  • 26. Security Blanket Reference: MDN HTTPS + HSTS Server https://www.origin1.com XHR/Fetch call, Document request HTTP * Chrome 4+, Edge 12+, FF 4+, IE 11, Safari 7+
  • 27. Security Blanket ! Secure ○ Transmit only over HTTPS ! HttpOnly ○ Disallow access via JS ! SameSite (Chrome, Opera) ○ Useful against CSRF Reference: MDN Set-Cookie Flags Chrome 1+, Edge, FF 3+, IE 9, Safari 5+
  • 28. Security Blanket ! CSP ! X-XSS-Options ! X-Content-Type-Options ! Referrer-Policy ! Subresource Integrity Just to note, if you’re serving a UI and not just an API. Reference: MDN
  • 29. Resource Representation ! Decoupled representation ! Sanitized ! Leverage HTTP(s) ○ Keep real-world quirks in mind! Internal vs. External
  • 30. Design, Mock, Debug ! Do it all in one place Our first priority is to get a usable API.
  • 31. TODO: Add mock/test screenshots/video herehttps://www.townscript.com/e/walmart-meetup/booking
  • 32. TODO: Add mock/test screenshots/video here
  • 33. TODO: Add mock/test screenshots/video herehttps://www.townscript.com/e/walmart-meetup/booking
  • 34. TODO: Add mock/test screenshots/video here
  • 36. Versioning ! Twitter, 3 versions, 5 years ! Google Maps, 3 versions, 8+ years ! GitHub, 3 versions, 6+ years Try to avoid (breaking) versioning
  • 37. Versioning ! Facebook Graph API ! Versions: ¯_(ツ)_/¯Try to avoid (breaking) versioning
  • 38. Versioning ! Publishers want to update ASAP ! Consumers want to avoid updating ! Multiple versions = increased attack surface Try to avoid (breaking) versioning
  • 39. Build
  • 40. Security Blanket ! Enforce using static code analysis & testing ! Architecture as a forcing function Reference: MDN
  • 41. Security Blanket ! Lint for security ! Test for security ! Make it harder to be insecure Static code analysis & testing
  • 42. Security Blanket Architecture as a forcing function ! The larger your team, the more difficult it is to enforce your design
  • 43. “A forcing function is an aspect of a design that prevents the user from taking an action without consciously considering information relevant to that action.” Security Blanket Reference: Interaction Design Foundation Architecture as a forcing function
  • 44. Security Blanket ! Make it much harder to be insecure Architecture as a forcing function
  • 45. Incoming Request Controller Application logic, doesn’t have to worry about headers at all. Outgoing Policy Adds all security headers by default. Can be configured with a list if necessary. Response Response has headers by default. It’s more work to get rid of them. Architecture as a forcing function
  • 46. ! Guidelines, not rules ! Do your own research ! Security comes in layers Wrapping up