A couple of months ago, I stumbled upon this list of 16 practices to secure your API:

Authentication: Verifies the identity of users accessing APIs.
Authorization: Determines permissions of authenticated users.
Data redaction: Obscures sensitive data for protection.
Encryption: Encodes data so only authorized parties can decode it.
Error handling: Manages responses when things go wrong, avoiding revealing sensitive info.
Input validation and data sanitization: Checks input data and removes harmful parts.
Intrusion detection systems: Monitor networks for suspicious activities.
IP Whitelisting: Permits API access only from trusted IP addresses.
Logging and monitoring: Keeps detailed logs and regularly monitors APIs.
Rate limiting: Limits user requests to prevent overload.
Secure dependencies: Ensures third-party code is free from vulnerabilities.
Security headers: Enhances site security against types of attacks like XSS.
Token expiry: Regularly expiring and renewing tokens prevents unauthorized access.
Use of security standards and frameworks: Guides your API security strategy.
Web application firewall: Protects your site from HTTP-specific attacks.
API versioning: Maintains different versions of your API for seamless updates.

While it’s debatable whether some points relate to security, e.g., versioning, the list is a good starting point anyway. In this two-post series, I’d like to describe how we can implement each point with Apache APISIX (or not).

Leave a Reply

Your email address will not be published. Required fields are marked *