Skip to content

Security

# API Security

# Minimal data exposure

The resource object MUST contain only the minimum information necessary.

Developers MUST NOT expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.

Note : The resource object should allow to control the data published and ensure that we only provide data that are useful.

# Data level security

The server MUST ensure that users only have access to resource object that they are allowed to see.

Note : APIs often expose endpoints that handle object identifiers. Object level authorization checks should be considered in every function that accesses a data source in order to ensure security for these data.

# Function level security

Developers MUST ensure that only the authorized users have access to critical functions of the API.

Note : Different hierarchies, groups, and roles are a suitable configuration in order to prevent critical function of the API to be called by the wrong user and prevent hierarchical exploit.

# Application level security

Developers MUST ensure that only the authorized users have access to the API.

Note : Authentication mechanisms, when necessary, should be implemented correctly as compromising a system’s ability to identify the user is a major risk in API security.

# Documentation

Developers MUST keep an up to date documentation of their API.

Note : API tends to expose more and more endpoints over time. Making proper and updated documentation is highly important as it provides a big help in inventoring deprecrated API versions and exposed debug endpoints.

# Monitoring

Developers MUST make sure the usage of the API is monitored.

Note : The monitoring of the API serves two puproses as it allows developers to watch out on performance as well as suspicious behavior of the API endpoints.

# Rate limiting

Developers MUST impose restrictions on the size or number of resources that can be requested by the client/user.

Note : Not implementing rate limiting can have direct impact on the API server performance, leading to Denial of Service (DoS), but also leaves the door open to scraping or authentication attacks with brute force.