Today, APIs are a fundamental aspect of many business models (sometimes, they are even the business model itself). They form the basic framework of modern applications and enable developers to embed software components into apps that expand functionality and enhance user experience.
APIs can be broadly classified into four types:
- Public – Available for anyone to use (for example, Google Maps)
- Private – Available only to internal teams or within an application cluster
- Partner – Integrated with a third-party vendor (for example, an API that allows Netflix to be installed on a smart TV)
- Third-party – Exposed by third parties and located on their server
To learn more about API types, read about API Connectivity.
While APIs remain a force for rapid modernization, they can also expose sensitive data due to their characteristically open nature. According to F5’s 2021 Application Protection Report, nearly two‑thirds of API incidents occurred because APIs were completely exposed (without any access restrictions).
In today’s API-driven software landscape, it’s critical to devise a security strategy that builds API protection into the development process rather than bolting it on as an afterthought.
Why Is API Security Important?
With so many apps instantly delivering assets via API, rapid protection becomes essential. Bad actors regularly attempt to exploit the opportunities for unrestricted access created by various weak points in an API’s design. Like HTTP web requests, API calls include URIs, methods, headers, and other parameters which are all susceptible to an attack.
API Sprawl
A key element of modern API ecosystems that has increased potential attack surface is the proliferation of API endpoints. This is known as API sprawl and can pose an extreme threat to the security of your API ecosystem. The first step to building any strong and secure API infrastructure is managing API sprawl.
API sprawl results from two challenges that arise during digital transformation:
- Exponential growth in the number of APIs
- Physical distribution of APIs across multiple architectures and teams
The increasing adoption of modern microservices architectures can exacerbate API spawl, because such architectures use large numbers of APIs for communication both to interfaces (north-south traffic) and between microservices (east-west traffic).
Tactics to fight API sprawl include:
- Implementing an API governance strategy
- Creating a single source of truth for API discovery
- Ensuring proper versioning and documentation
- Providing metrics and visibility into API traffic
- Applying API security at scale
To dive into these tactics and how to implement them, read 5 Ways to Fight API Sprawl (And Why You Should Care).
To learn more about the proliferation of API endpoints’ effects and statistics, read F5’s report Continuous API Sprawl: Challenges and Opportunities in an API-Driven Economy.
OWASP API Security Top 10
The Open Web Application Security Project (OWASP) highlights the most common API vulnerabilities in their OWASP API Security Top 10 project:
API1. Broken Object Level Authorization – Endpoints that handle object identifiers are exposed, creating a wide attack surface.
API2. Broken User Authentication – Incorrect implementation of authentication mechanisms allows attackers to compromise authentication tokens or assume legitimate users’ identities.
API3. Excessive Data Exposure – Developers often expose all object properties which puts pressure on clients to execute data filtering before it reaches the user.
API4. Lack of Resources & Rate Limiting – APIs often don’t impose restrictions on how many resources can be requested by the client/user (or how big they are), which leads to poor API server performance, denial of service (DoS), and authentication flaws.
API5. Broken Function-Level Authorization – Access control policies with varying hierarchies, groups, and roles lead to authorization issues, which attackers can exploit to gain other users’ resources and/or administrative functions.
API6. Mass Assignment – Attackers can modify object properties due to incorrect properties filtering based on an allowlist.
API7. Security Misconfiguration – Configuration mistakes, including incomplete configurations, open cloud storage, misconfigured HTTP headers, and more, cause exploitable security.
API8. Injection – Injection flaws (for example, SQL, NoSQL, and Command Injection) occur when untrusted data is sent to an interpreter via a command or query, which attackers can then exploit to execute unintended commands or access data without correct authorization.
API9. Improper Assets Management – Because they expose so many endpoints, APIs need proper, up-to-date documentation to prevent bad actors from exploiting bugs.
API10. Insufficient Logging & Monitoring – Attackers can extract or destroy data by furthering attack systems and maintaining persistence when logging, monitoring, and integration with incident response are inadequate.
How to Secure APIs
Even with broader awareness of the need for API security, headline-grabbing breaches still happen. In their report API Security: What You Need to Know to Protect Your APIs, Gartner emphasizes that application team leaders need to design effective security strategies to protect their APIs.
Security must be built into every phase of the API lifecycle – from design to development to deployment. While a discovery tool (as seen in top-down security approaches) is a necessary component, we believe proper API security starts with the teams who are building and deploying APIs (see API-First and API Governance below). This approach to app and API security is known as shift left, where security controls are applied early in the software development lifecycle (SDLC) and can be automated in the CI/CD pipeline.
A complementary approach to shift left is protect right, which foregrounds methods like API discovery and use of a web application firewall (WAF) to combat threats at the network edge. While protecting right is an important line of defense, we believe that shifting left is crucial for building applications that are secure by design. If you don’t build defenses into your CI/CD pipeline and catch attacks early, you’re forced to react to attacks quickly as they occur (and sometimes end up working backwards).
Where to Implement API Security
API security overlaps multiple teams and systems. The table outlines some of the key points where you need to embed API security. By covering multiple layers, you can achieve a robust level of protection. Often these methods and technologies are implemented at the API gateway, or across a series of architectural check points.
|
|
Access Control |
Network Security |
Runtime Protection |
|
Description |
Manage authentication and authorization at API endpoints |
Provide secure network communication, deflect unwanted traffic at network level |
Mitigate common software vulnerabilities, prevent API abuse using bot-mitigation technology |
|
Technologies |
OAuth 2.0, OpenID Connect (OIDC), JSON Web Token (JWT), randomized API Key |
mTLS, DDoS mitigation, rate limiting, encryption |
Web application firewall, JSON schema validation, attack signature, anomaly detection |
API-First and API Governance
More and more, we see teams implementing an API-first development model. API-first means application design starts with the API, which is seen as a distinct, fundamental product.
One key benefit of an API-first model is that it simplifies API governance, providing control and visibility into complex systems. This enables you to ensure that APIs remain secure through their entire lifecycle and potential evolution.
Note: While there are multiple approaches to API governance, we recommend adaptive governance, which both empowers developers and gives Platform Ops the necessary control to ensure APIs remain reliable and secure.
API Discovery
With proper governance from the beginning, APIs become easily discoverable, both for developers using them and for security teams who need to protect them. But most organizations don’t start out with efficient and scaled API governance in place. Instead, they need to implement API governance and security across existing APIs as well as new APIs.
One serious problem has emerged with the widespread adoption of APIs: the tendency of APIs to slip into production without anyone knowing they exist other than their authors (API developers). Sometimes this is an oversight in the design and deployment process. These APIs are often referred to as “shadow APIs”.
In other scenarios, developers may move on to other roles or projects, eventually leaving no one who knows the APIs even exist. These are sometimes referred to as “zombie APIs.” They are operating without oversight and are hidden from everyone in the enterprise.
Automated API discovery tools can help you build an overall view of your current ecosystem, including where APIs are deployed, what APIs might contain sensitive data, and what security vulnerabilities may exist. Typically, once you discover an API, you can generate and export an OpenAPI Specification so you can migrate the API to your central API gateway and add it to your developer portal or API catalog.
API Protocols: API Security for SOAP, REST, and GraphQL
As with just about every other aspect of computing, API technology has changed over the past 25 years as developers have searched for ways to improve performance and reliability. Both the design philosophy and data representation of APIs have evolved and along with them the way data and traffic are secured. The timeline of popular API architectures can roughly be viewed as follows:
SOAP (1998-2010) → REST (2010-now) → GraphQL (2020-future)
SOAP APIs
Simple Objects Access Protocol (SOAP) APIs use digital signatures and encryption of the XML-formatted data to apply security at the message level. Message-level security is generally more comprehensive than security in a REST API architectural style (below). However, while praised for its portability, message-level security is now only seen in legacy web services.
REST APIs
Over the past decade, representational state transfer (REST) became the most popular architectural styles for APIs. Today, most web APIs are REST APIs. In REST, resources are identified by unique HTTP URIs and access control rules are based on a combination between HTTP verb and HTTP URI.
GraphQL APIs
GraphQL is an emerging query language for APIs. It puts front-end developers in control by allowing them to customize their API queries in the way that works best for their applications. All resources are accessed through a single URI. Because of this flexibility and control, GraphQL is becoming increasingly popular.
While SOAP and REST have tried-and-true access control methodologies, there aren’t yet well-established methods to apply access control across a GraphQL API.
Common Threats: SOAP vs. REST vs. GraphQL APIs
The chart lists the most common attacks and vulnerabilities for each type of API or architectural style.
|
|
SOAP APIs |
REST APIs |
GraphQL APIs |
|
✓ |
✓ |
✓ |
|
|
✓ |
✓ |
✓ |
|
|
✓ |
✓ |
✓ |
|
|
✓ |
|
|
|
|
✓ |
|
|
|
|
✓ |
|
|
|
|
✓ |
✓ |
|
|
|
✓ |
✓ |
|
|
|
✓ |
|
✓ |
|
|
✓ |
✓ |
✓ |
|
|
|
✓ |
|
|
|
|
✓ |
|
|
|
|
✓ |
✓ |
|
|
|
|
✓ |
|
|
|
✓ |
✓ |
|
|
|
|
✓ |
Best Practices: SOAP vs. REST vs. GraphQL APIs
Here, we summarize the best practices for implementing security with each type of API.
|
|
SOAP APIs |
REST APIs |
GraphQL APIs |
|
✓ |
✓ |
|
|
|
✓ |
|
|
|
|
|
✓ |
|
|
|
|
✓ |
|
|
|
|
✓ |
|
|
|
|
✓ |
|
|
|
|
✓ |
|
|
|
✓ |
✓ |
|
|
|
✓ |
|
|
|
|
|
✓ |
|
|
|
Validate API parameters |
|
✓ |
|
|
Query timeouts |
|
✓ |
✓ |
|
Limit query depth |
|
|
✓ |
|
Restrict access to resources |
|
✓ |
|
|
Use pagination |
|
✓ |
|
API Security for Different Deployments
Whether in the cloud, on premises, or in hybrid deployments, the technology stack you use to build your APIs changes how you secure them.
Layers of API Security
One of the most common ways to protect APIs is through a multi-layered defense strategy that applies different types of protection at each layer. This is often referred to as a “defense-in-depth” approach.
You can imagine these protections like a castle wall. Boundary defenses like API discovery and a WAF provide the outermost layer of protection. Once you enter through the gates, however, you are stopped at different checkpoints along the way. These checkpoints help prevent lateral movement through the castle and ensure you have the right credentials to access different parts of the castle itself. In modern application architectures, fine-grained access controls and additional identity verification at the API gateway and other points serve as these checkpoints.
The diagram below illustrates how these different layers are stacked to progressively protect APIs and applications as traffic move through the application architecture. Each layer includes some of the different technologies you might deploy to protect your APIs.
API Security Best Practices
In addition to the methods outline above, here are some other best practices for achieving robust API security across multiple vectors.
API Gateway and Web Application Firewall
An API gateway accepts API requests and directs them to the appropriate services. Deploying an API gateway allows you to control, monitor, and secure API traffic. That said, APIs behind an API gateway are still vulnerable to breaches. To bolster the security of your API gateway, consider deploying a web application firewall (WAF) to block attacks and other malicious traffic.
Encryption
Encryption is the process of encoding text into a "scrambled" form that cannot be read without reversing the encoding to reveal the original text. A best practice of encryption is end-to-end encryption (E2EE), where data is fully encrypted as it passes between from user to app and back again. Data is only viewable via decryption key, therefore restricting access to unintended users.
To further limit unwanted access, websites use mutual TLS (mTLS) to authenticate themselves with clients using a public certificate signed by a certificate authority (CA) and a private key. SSL/TLS private keys are used to authenticate, encrypt, and verify integrity of access. This reciprocated authentication protects both the confidentiality and validity of data. When the private key is compromised, attackers can impersonate a valid user (intercept network traffic and modify it) or decrypt it offline after recording it as it crosses the network in real time.
For instructions on using Let’s Encrypt (a free, automated, and open CA) to issue certificates, see Using Free Let’s Encrypt SSL/TLS Certificate with NGINX.
OAuth and OpenID Connect for Authentication and Authorization
OAuth is a widely used open source standard used by resource owners such as websites to allow access to their resources by clients who have obtained an access token from an approved third-party authorization server.
OAuth 2.0 is the updated, industry standard for authorization. It’s a protocol that allows for consented access by enabling APIs on HTTP services (e.g., Facebook) and makes it easy to interpret user data with different resources. These resources are shared between sites without using the user’s credentials, and instead by using username and password tokens.
OAuth can be enhanced with an additional identity layer known as OpenID Connect, which sits atop the OAuth 2.0 framework and extends it with identity tokens. By using identity tokens, OpenID Connect enables authentication of the user.
Robust security can be achieved through the combined authorization (AuthN) and authentication (AuthZ) methods of OAuth 2.0 and OpenID Connect.
Monitoring, Auditing, and Logging
As highlighted by API10 in the OWASP API Security Top 10, insufficient monitoring and logging can create openings for attacks.
A monitoring tool reveals useful information about application performance. Every activity that occurs in the API is considered a security event and is logged. The log file can then be examined for unauthorized activities.
Zero Trust for API Security
Traditional security models assume that users, applications, data, and devices operating within an established security boundary can be trusted. A Zero Trust approach recognizes that for today’s distributed applications – with application components and infrastructure spread across on-premises, hybrid, and multi-cloud environments – there is no security perimeter and therefore no such thing as a trusted "insider". It treats every element as a potential security threat and requires proof of authentication and authorization for every operation.
How NGINX Can Help
NGINX provides have multiple solutions for securing APIs and ensuring ongoing protection:
- App and API Security – Reduce security breaches and limit your organization’s exposure to malicious users with comprehensive protection. Benefits include Layer 7 attack protection, end-to-end encryption, single sign-on (SSO), elliptic curve cryptography, API authentication, and DDoS mitigation.
- Secure API Connectivity – Manage, monitor, govern, and secure private, partner, and external APIs across any environment (cloud, on-premises, or the edge). Products in our API Connectivity solution include NGINX Plus (deployable as an enterprise-grade API gateway), NGINX App Protect (WAF and DoS protection), and NGINX Management Suite API Connectivity Manager.
- Zero Trust Security for Kubernetes – Secure Kubernetes apps and APIs from edge to cloud without adding complexity and overhead. Products include NGINX Ingress Controller, NGINX Service Mesh, and NGINX App Protect (WAF and DoS protection).
