Securing APIs

Securing calls and interfaces

Real-world applications use multiple APIs with user permissions and (possibly conflicting) security and privacy goals. When tools and service facilities are taken out of context, it fumbles, fails, and breaks (slip, careen and wreck).

It behooves to conduct regularly perform security testing, including penetration testing and code reviews, to identify and fix vulnerabilities.

Insecure Transmission

Counter(s)
1. Ensure no SSL/TLS stripping
2. Counter MitM (this can be done using a defensive API gateway). 
2.1. Where possible use mutual authentication, e.g. TLS1.2 with mTLS mode, to secure channels to deter MitM. Authenticate and validate API traffic with mTLS certificates for mobile and IoT APIs, and JSON web tokens (JWT) to block requests from illegitimate clients.
2.2. Ensure secure session management (session-based authentication)
While most user sessions are stateless (sometimes a state blob being sent as part of the transaction to protect and preserve Session State), Session-chaining to ensure that the actions are done in the right order and anti-replay.
2.2.1. Consider using only the session token or API key to maintain client state in a server-side cache. This is directly equivalent to how normal…