Secure Your REST API (The Right Way)

Les Hazlewood @lhazlewood
Apache Shiro PMC Chair
CTO, Stormpath
stormpath.com
Secure your REST API
(the right way)

.com
• User Management and Authentication
API
• Security for your applications
• User security workflows
• Security best practices
• Developer tools, SDKs, libraries

... is all about the headers
Learn more at Stormpath.com

1. Request
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com

2. Challenge Response
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm=“name”

3. Resubmit Request
Host: api.acme.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Authorization Header Format
Host: api.acme.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Scheme Name Scheme-specific Value
sp

4. Successful Response
HTTP/1.1 200 OK
Content-Type: application/json
...
{
“email”: “jsmith@gmail.com”,
“givenName”: “Joe”,
“surname”: Smith”,
...
}

Example: Oauth 1.0a
GET /accounts/1234 HTTP/1.1
Host: api.acme.com
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131200",
oauth_nonce="wIjqoS",
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"

Example: Oauth 2
Host: api.acme.com
Authorization: Bearer mF_9.B5f-4.1JqM

Example: Oauth 2 MAC
Host: api.acme.com
Authorization: MAC id="h480djs93hd8",
nonce="264095:dj83hs9s”,
mac="SLDJd4mg43cjQfElUs3Qub4L6xE="

Ok, now that’s out of the way
• Please avoid Basic Authc if you can.
• Favor HMAC-SHA256 digest algorithms over
bearer token algorithms
• Use Oauth 1.0a or Oauth 2 (preferably MAC)
• Only use a custom scheme if you really,
really know what you’re doing.

Status Codes

401 vs 403
• 401 “Unauthorized” really means
Unauthenticated
“You need valid credentials for me to respond to
this request”
• 403 “Forbidden” really means Unauthorized
“I understood your credentials, but so sorry, you’re
not allowed!”

HTTP Authorization

HTTP Authorization
• After authc, perform authz
• Filter requests before invoking MVC layer
• Blanket security policies
• Per-URI customization

HTTP Authorization: OAuth
• OAuth is an authorization protocol, NOT
an authentication or SSO protocol.
• “Can I see User X’s email address please?”
NOT:
• “I want to authenticate User X w/ this
username and password”
• People still try to use OAuth for
authentication (OpenId Connect)

HTTP Authorization: OAuth
• When OAuth 2 is a good fit:
• If your REST clients do NOT own the data
they are attempting to read
• When Oauth 2 isn’t as good of a fit:
• If your REST client owns the data it is
reading
• Could still be fine if you’re willing to incur
some additional overhead

HTTP Authorization: JWT
• JWT = JSON Web Token
• Very new spec, but clean & simple
• JWTs can be digitally signed and/or
encrypted, and are URL friendly.
• Can be used as Bearer Tokens and for SSO

Best Practices

API Keys

API Keys, Not Passwords
• Entropy
• Independence
• Speed
• Reduced Exposure
• Traceability
• Rotation

API Keys cont’d
• Authenticate every request
• Encrypt API Key secret values at rest.
• Avoid Sessions (not RESTful)
• Authc every request + no sessions = no
XSRF attacks

Identifiers

Identifiers
/accounts/x2b4jX3l31uiL
Good
Not So Good
/accounts/1234
Why?

Identifiers
• Should be opaque
• Secure Random or Random/Time UUID
• URL-friendly ‘Base62’ encoding
• Avoid sequential numbers:
• distribute ID generation load
• mitigate fusking attacks

Query Injection

Query Injection
Vulnerable URL:
foo.com/accounts?acctId=‘ or ‘1’=‘1
String query =
“select * from accounts where acct_id = ‘” +
request.getParameter(“acctId”) + “’”;
Solution
• Use Parameterized Query API (Prepared
Statements).
• If not available, escape special chars

Redirects and Forwards

Redirects and Forwards
• Avoid redirects and forwards if possible
• If used, validate the value and ensure
authorized for the current user.
foo.com/redirect.jsp?url=evil.com
foo.com/whatever.jsp?fwd=admin.jsp

TLS

TLS
• Use TLS for everything
• Once electing to TLS:
– Never revert
– Never switch back and forth
• Cookies: set the ‘secure’ and ‘httpOnly’
flags for secure cookies
• Backend/infrastructure connections use
TLS too

TLS Cont’d
• Configure your SSL provider to only support
strong (FIPS 140-2 compliant) algorithms
• Use Cipher Suites w/ Perfect Forward
Secrecy!
–e.g.
ECDHE_RSA_WITH_AES_256_GCM_SHA256
• Keep your TLS certificates valid
• But beware, TLS isn’t foolproof
– App-level encryption + TLS for most secure
results

Configuration

Configuration
• CI: Security Testing
• Security Patches
• Regularly scan/audit
• Same config in Dev, Prod, QA*
– (Docker is great for this!)
• Externalize passwords/credentials
* Except credentials of course

Storage

Storage
• Sensitive data encrypted at rest
• Encrypt offsite backups
• Strong algorithms/standards
• Strong encryption keys and key mgt
• Strong password hashing
• External key storage
• Encrypted file system (e.g. eCryptfs)

Thank You!
• les@stormpath.com
• Twitter: @lhazlewood
• https://stormpath.com

.com
• Free for developers
• Eliminate months of development
• Automatic security best practices
Sign Up Now: Stormpath.com

Secure Your REST API (The Right Way)

More Related Content

What's hot (20)

Similar to Secure Your REST API (The Right Way) (20)

More from Stormpath (20)

Recently uploaded (20)

Secure Your REST API (The Right Way)