SlideShare a Scribd company logo

Rest API Security - A quick understanding of Rest API Security

Mohammed Fazuluddin
Mohammed Fazuluddin

This document discusses REST API security methods. It provides an overview of authentication and authorization and describes common security methods like cookie-based authentication, token-based authentication, OAuth, OpenID, and SAML. It then compares OAuth2, OpenID, and SAML and discusses best practices for securing REST APIs like protecting HTTP methods, validating URLs, using security headers, and encoding JSON input.

1 of 21
1
Rest API Security A Quick Introduction Of Rest API security Mohammed Fazuluddin
2
Topics  Overview  Rest API Security Methods  Details Of Security Methods  Comparisons Oauth2, OpenId and SAML  Selection Of Rest API Security Method  Best Practices To Secure REST API’S
3
Overview  Authentication is common way to handle security for all applications.  The basic keywords engaged in this process is “Authentication” and “Authorization”. Authentication can be defined as the process of verifying someone’s identity by using pre- required details (Commonly username and password).  Authorization is the process of allowing an authenticated user to access a specified resource (Ex:- right to access a file).  To secure the information which will be rendered in the client side then it should controlled be access the data with Authentication.  Currently lot of websites has integrated with security systems to protect their data from the hackers and to protect the data they should access the Rest API’s securely.
4
Rest API Security Methods  Following are the commonly used Rest API security methods which can be used to protect the Rest API access from the hackers.  Cookie-Based authentication  Token-Based authentication  Third party access(OAuth, API-token)  OpenId  SAML
5
Details Of Security Methods  Cookie based authentication:  has been the default method for handling user authentication for a long time.  The client posts the login credential to the server, server verifies the credential and creates session id which is stored in server(state-full) and returned to client via set-cookie.  On subsequent request the session id from the cookie is verified in the server and the request get processed.  Upon logout session id will be cleared from both client cookie and server.
Most read
6
Details Of Security Methods
7
Details Of Security Methods  Token based authentication:  single page applications(SPA) and statelessness(RESTful API’s)of the application.  There are different ways to implement token based authentication, we will focusing on most commonly used JSON Web Token(JWT).  On receiving the credentials from client the server validates the credentials and generates a signed JWT which contains the user information. Note, the token will never get stored in server(stateless).  On subsequent request the token will be passed to server and gets verified(decoded) in the server. The token can be maintained at client side in local storage, session storage or even in cookies.
8
Details Of Security Methods
9
Details Of Security Methods  Third party access(OAuth, API-token):  if we have a need to expose our API’s outside of our system like third party app or even to access it from mobile apps we end up in two common ways to share the user information.  Via API-token which is same as JWT token, where the token will be send via Authorization header which will get handled at API gateway to authenticate the user.  The other option is via Open Authentication(OAuth),OAuth is a protocol that allows an application to authenticate against server as a user.  The recommendation is to implement OAuth 1.0a or OAuth 2.0. OAuth 2.0 relies on HTTPS for security and it currently implemented by Google, Facebook, Twitter etc., OAuth 2 provides secured delegate access to a resource based on user..
10
Details Of Security Methods
11
Details Of Security Methods  OpenId:  is HTTP based protocol that uses identity provider to validate a user.  The user password is secured with one identity provider, this allows other service providers a way to achieve Single SignOn(SSO) without requiring password from user.  There are many OpenId enabled account on the internet and organizations such as Google, Facebook, Wordpress, Yahoo, PayPal etc., uses OpenId to authenticate users.  The latest version of OpenId is OpenId Connect, which provides OpenId(authentication) on top of OAuth 2.0(authorization) for complete security solution.
12
Details Of Security Methods
13
Details Of Security Methods  SAML:  Security assertion markup language makes use of the same Identity provider which we saw in OpenId, but it is XML based and more flexible.  The recommended version for SAML is 2.0. SAML also provides a way to achieve Single SignOn(SSO).  User can make use of the Identity provider URL to login into the system which redirects with XML data back to your application page which can then be decoded to get the user information.  We have SAML providers like G Suite, Office 365, OneLogin, Okta etc.,.
14
Details Of Security Methods
15
Comparisons Oauth2, OpenId and SAML
16
Selection Of Rest API Security Method  If you have to support a web application only, either cookies or tokens are fine - for cookies think about XSRF, for JWT take care of XSS.  If you have to support both a web application and a mobile client, go with an API that supports token-based authentication.  If you are building APIs that communicate with each other, go with request signing.
17
Best Practices To Secure REST API’S  Protect HTTP Methods:  RESTful APIs often use GET (read), POST (create), PUT (replace/update) and DELETE (to delete a record).Not all of these are valid choices for every single resource collection, user, or action.  Make sure the incoming HTTP method is valid for the session token/API key and associated resource collection, action, and record.  Protect HTTP Methods:  It is common with RESTful services to allow multiple methods for a given URL for different operations on that entity.For example, a GET request might read the entity, while PUT would update an existing entity, POST would create a new entity, and DELETE would delete an existing entity.
Most read
18
Best Practices To Secure REST API’S  Protect Privileged Actions and Sensitive Resource Collections:  The session token or API key should be sent along as a cookie or body parameter to ensure that privileged collections or actions are properly protected from unauthorized use.  Protect Against Cross-Site Request Forgery:  For resources exposed by RESTful web services, it's important to make sure any PUT, POST, and DELETE request is protected from Cross-Site Request Forgery.  Typically, one would use a token-based approach. CSRF is easily achieved — even using random tokens — if any XSS exists within your application, so please make sure you understand how to prevent XSS.
Most read
19
Best Practices To Secure REST API’S  URL Validations:  Web applications/web services use input from HTTP requests (and occasionally files) to determine how to respond.  Attackers can tamper with any part of an HTTP request, including the URL, query string, headers, cookies, form fields, and hidden fields, to try to bypass the site’s security mechanisms.  XML Input Validation:  XML-based services must ensure that they are protected against common XML-based attacks by using secure XML-parsing.  This typically means protecting against XML External Entity attacks, XML-signature wrapping, etc.
20
Best Practices To Secure REST API’S  Security Headers:  To make sure the content of a given resource is interpreted correctly by the browser, the server should always send the Content-Type header with the correct Content-Type, and the Content-Type header should preferably include a charset.  The server should also send an X-Content-Type-Options: nosniff to make sure the browser does not try to detect a different Content-Type than what is actually sent (as this can lead to XSS).  JSON Encoding:  A key concern with JSON encoders is preventing arbitrary JavaScript remote code execution within the browser... or, if you're using Node.js, on the server.  It's vital that you use a proper JSON serializer to encode user-supplied data properly to prevent the execution of user-supplied input on the browser.
21
THANKS If you feel that it is helpful and worthy to share with others then please like and share the same.
Rest API Security A Quick Introduction Of Rest API security Mohammed Fazuluddin
Topics  Overview  Rest API Security Methods  Details Of Security Methods  Comparisons Oauth2, OpenId and SAML  Selection Of Rest API Security Method  Best Practices To Secure REST API’S
Overview  Authentication is common way to handle security for all applications.  The basic keywords engaged in this process is “Authentication” and “Authorization”. Authentication can be defined as the process of verifying someone’s identity by using pre- required details (Commonly username and password).  Authorization is the process of allowing an authenticated user to access a specified resource (Ex:- right to access a file).  To secure the information which will be rendered in the client side then it should controlled be access the data with Authentication.  Currently lot of websites has integrated with security systems to protect their data from the hackers and to protect the data they should access the Rest API’s securely.
Rest API Security Methods  Following are the commonly used Rest API security methods which can be used to protect the Rest API access from the hackers.  Cookie-Based authentication  Token-Based authentication  Third party access(OAuth, API-token)  OpenId  SAML
Details Of Security Methods  Cookie based authentication:  has been the default method for handling user authentication for a long time.  The client posts the login credential to the server, server verifies the credential and creates session id which is stored in server(state-full) and returned to client via set-cookie.  On subsequent request the session id from the cookie is verified in the server and the request get processed.  Upon logout session id will be cleared from both client cookie and server.
Details Of Security Methods
Details Of Security Methods  Token based authentication:  single page applications(SPA) and statelessness(RESTful API’s)of the application.  There are different ways to implement token based authentication, we will focusing on most commonly used JSON Web Token(JWT).  On receiving the credentials from client the server validates the credentials and generates a signed JWT which contains the user information. Note, the token will never get stored in server(stateless).  On subsequent request the token will be passed to server and gets verified(decoded) in the server. The token can be maintained at client side in local storage, session storage or even in cookies.
Details Of Security Methods
Details Of Security Methods  Third party access(OAuth, API-token):  if we have a need to expose our API’s outside of our system like third party app or even to access it from mobile apps we end up in two common ways to share the user information.  Via API-token which is same as JWT token, where the token will be send via Authorization header which will get handled at API gateway to authenticate the user.  The other option is via Open Authentication(OAuth),OAuth is a protocol that allows an application to authenticate against server as a user.  The recommendation is to implement OAuth 1.0a or OAuth 2.0. OAuth 2.0 relies on HTTPS for security and it currently implemented by Google, Facebook, Twitter etc., OAuth 2 provides secured delegate access to a resource based on user..
Details Of Security Methods
Details Of Security Methods  OpenId:  is HTTP based protocol that uses identity provider to validate a user.  The user password is secured with one identity provider, this allows other service providers a way to achieve Single SignOn(SSO) without requiring password from user.  There are many OpenId enabled account on the internet and organizations such as Google, Facebook, Wordpress, Yahoo, PayPal etc., uses OpenId to authenticate users.  The latest version of OpenId is OpenId Connect, which provides OpenId(authentication) on top of OAuth 2.0(authorization) for complete security solution.
Details Of Security Methods
Details Of Security Methods  SAML:  Security assertion markup language makes use of the same Identity provider which we saw in OpenId, but it is XML based and more flexible.  The recommended version for SAML is 2.0. SAML also provides a way to achieve Single SignOn(SSO).  User can make use of the Identity provider URL to login into the system which redirects with XML data back to your application page which can then be decoded to get the user information.  We have SAML providers like G Suite, Office 365, OneLogin, Okta etc.,.
Details Of Security Methods
Comparisons Oauth2, OpenId and SAML
Selection Of Rest API Security Method  If you have to support a web application only, either cookies or tokens are fine - for cookies think about XSRF, for JWT take care of XSS.  If you have to support both a web application and a mobile client, go with an API that supports token-based authentication.  If you are building APIs that communicate with each other, go with request signing.
Best Practices To Secure REST API’S  Protect HTTP Methods:  RESTful APIs often use GET (read), POST (create), PUT (replace/update) and DELETE (to delete a record).Not all of these are valid choices for every single resource collection, user, or action.  Make sure the incoming HTTP method is valid for the session token/API key and associated resource collection, action, and record.  Protect HTTP Methods:  It is common with RESTful services to allow multiple methods for a given URL for different operations on that entity.For example, a GET request might read the entity, while PUT would update an existing entity, POST would create a new entity, and DELETE would delete an existing entity.
Best Practices To Secure REST API’S  Protect Privileged Actions and Sensitive Resource Collections:  The session token or API key should be sent along as a cookie or body parameter to ensure that privileged collections or actions are properly protected from unauthorized use.  Protect Against Cross-Site Request Forgery:  For resources exposed by RESTful web services, it's important to make sure any PUT, POST, and DELETE request is protected from Cross-Site Request Forgery.  Typically, one would use a token-based approach. CSRF is easily achieved — even using random tokens — if any XSS exists within your application, so please make sure you understand how to prevent XSS.
Best Practices To Secure REST API’S  URL Validations:  Web applications/web services use input from HTTP requests (and occasionally files) to determine how to respond.  Attackers can tamper with any part of an HTTP request, including the URL, query string, headers, cookies, form fields, and hidden fields, to try to bypass the site’s security mechanisms.  XML Input Validation:  XML-based services must ensure that they are protected against common XML-based attacks by using secure XML-parsing.  This typically means protecting against XML External Entity attacks, XML-signature wrapping, etc.
Best Practices To Secure REST API’S  Security Headers:  To make sure the content of a given resource is interpreted correctly by the browser, the server should always send the Content-Type header with the correct Content-Type, and the Content-Type header should preferably include a charset.  The server should also send an X-Content-Type-Options: nosniff to make sure the browser does not try to detect a different Content-Type than what is actually sent (as this can lead to XSS).  JSON Encoding:  A key concern with JSON encoders is preventing arbitrary JavaScript remote code execution within the browser... or, if you're using Node.js, on the server.  It's vital that you use a proper JSON serializer to encode user-supplied data properly to prevent the execution of user-supplied input on the browser.
THANKS If you feel that it is helpful and worthy to share with others then please like and share the same.
Ad

Recommended

Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
Mohammed Fazuluddin
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Research Proposal Presentation
Research Proposal PresentationResearch Proposal Presentation
Research Proposal Presentation
KumarNyaupane
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best Practices
Prakash Bhandari
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
apidays
 
Introduction to GraphQL Presentation.pptx
Introduction to GraphQL Presentation.pptxIntroduction to GraphQL Presentation.pptx
Introduction to GraphQL Presentation.pptx
Knoldus Inc.
 
gRPC with java
gRPC with javagRPC with java
gRPC with java
Knoldus Inc.
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
Tessa Mero
 
REST API
REST APIREST API
REST API
Tofazzal Ahmed
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
Chetan Gadodia
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
What is an API?
What is an API?What is an API?
What is an API?
Muhammad Zuhdi
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Api Testing
Api TestingApi Testing
Api Testing
Vishwanath KC
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
Sébastien Saunier
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
Prem Sanil
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
API_Testing_with_Postman
API_Testing_with_PostmanAPI_Testing_with_Postman
API_Testing_with_Postman
Mithilesh Singh
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Restful api
Restful apiRestful api
Restful api
Anurag Srivastava
 

More Related Content

What's hot (20)

Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
Tessa Mero
 
REST API
REST APIREST API
REST API
Tofazzal Ahmed
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
Chetan Gadodia
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
What is an API?
What is an API?What is an API?
What is an API?
Muhammad Zuhdi
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Api Testing
Api TestingApi Testing
Api Testing
Vishwanath KC
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
Sébastien Saunier
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
Prem Sanil
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
API_Testing_with_Postman
API_Testing_with_PostmanAPI_Testing_with_Postman
API_Testing_with_Postman
Mithilesh Singh
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
Tessa Mero
 
REST API
REST APIREST API
REST API
Tofazzal Ahmed
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
Chetan Gadodia
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
What is an API?
What is an API?What is an API?
What is an API?
Muhammad Zuhdi
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Api Testing
Api TestingApi Testing
Api Testing
Vishwanath KC
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
Sébastien Saunier
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
Prem Sanil
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
API_Testing_with_Postman
API_Testing_with_PostmanAPI_Testing_with_Postman
API_Testing_with_Postman
Mithilesh Singh
 

Similar to Rest API Security - A quick understanding of Rest API Security (20)

Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Restful api
Restful apiRestful api
Restful api
Anurag Srivastava
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Techniques for securing rest
Techniques for securing restTechniques for securing rest
Techniques for securing rest
Sudhakar Anivella
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
guestd5dde6
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
n|u - The Open Security Community
 
Webapp security (with notes)
Webapp security (with notes)Webapp security (with notes)
Webapp security (with notes)
Igor Bossenko
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Single sign on assistant an authentication brokers
Single sign on assistant an authentication brokersSingle sign on assistant an authentication brokers
Single sign on assistant an authentication brokers
Finalyear Projects
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
Rubersy Ramos García
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdf
MohitRampal5
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
guest2a1135
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
Randy Connolly
 
GHC18 Abstract - API Security, a Grail Quest
GHC18 Abstract - API Security, a Grail QuestGHC18 Abstract - API Security, a Grail Quest
GHC18 Abstract - API Security, a Grail Quest
PaulaPaulSlides
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Spring Security services for web applications
Spring Security services for web applicationsSpring Security services for web applications
Spring Security services for web applications
StephenKoc1
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Restful api
Restful apiRestful api
Restful api
Anurag Srivastava
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Techniques for securing rest
Techniques for securing restTechniques for securing rest
Techniques for securing rest
Sudhakar Anivella
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
guestd5dde6
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
n|u - The Open Security Community
 
Webapp security (with notes)
Webapp security (with notes)Webapp security (with notes)
Webapp security (with notes)
Igor Bossenko
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Single sign on assistant an authentication brokers
Single sign on assistant an authentication brokersSingle sign on assistant an authentication brokers
Single sign on assistant an authentication brokers
Finalyear Projects
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
Rubersy Ramos García
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdf
MohitRampal5
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
guest2a1135
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
Randy Connolly
 
GHC18 Abstract - API Security, a Grail Quest
GHC18 Abstract - API Security, a Grail QuestGHC18 Abstract - API Security, a Grail Quest
GHC18 Abstract - API Security, a Grail Quest
PaulaPaulSlides
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Spring Security services for web applications
Spring Security services for web applicationsSpring Security services for web applications
Spring Security services for web applications
StephenKoc1
 
Ad

More from Mohammed Fazuluddin (20)

Cloud Providers and Their Key Features Explained
Cloud Providers and Their Key Features ExplainedCloud Providers and Their Key Features Explained
Cloud Providers and Their Key Features Explained
Mohammed Fazuluddin
 
Database Performance Handling : A comprehensive guide
Database Performance Handling : A comprehensive guideDatabase Performance Handling : A comprehensive guide
Database Performance Handling : A comprehensive guide
Mohammed Fazuluddin
 
Design patterns Q&A | Important question and answers
Design patterns Q&A | Important question and answersDesign patterns Q&A | Important question and answers
Design patterns Q&A | Important question and answers
Mohammed Fazuluddin
 
Software-Requirements-to-System-Design Basics
Software-Requirements-to-System-Design BasicsSoftware-Requirements-to-System-Design Basics
Software-Requirements-to-System-Design Basics
Mohammed Fazuluddin
 
MEAN-vs-MERN-A-Developers-Guide and Explanation
MEAN-vs-MERN-A-Developers-Guide and ExplanationMEAN-vs-MERN-A-Developers-Guide and Explanation
MEAN-vs-MERN-A-Developers-Guide and Explanation
Mohammed Fazuluddin
 
Cloud AI Deployment Design Patterns - Learn the Basic Deployment Patterns
Cloud AI Deployment Design Patterns - Learn the Basic Deployment PatternsCloud AI Deployment Design Patterns - Learn the Basic Deployment Patterns
Cloud AI Deployment Design Patterns - Learn the Basic Deployment Patterns
Mohammed Fazuluddin
 
Auto-scaling-real-time-software-applications-and-best-practices.pdf
Auto-scaling-real-time-software-applications-and-best-practices.pdfAuto-scaling-real-time-software-applications-and-best-practices.pdf
Auto-scaling-real-time-software-applications-and-best-practices.pdf
Mohammed Fazuluddin
 
Java Version(v5 -v23) Features with sample code snippet
Java Version(v5 -v23) Features with sample code snippetJava Version(v5 -v23) Features with sample code snippet
Java Version(v5 -v23) Features with sample code snippet
Mohammed Fazuluddin
 
Cloud Architecture Framework Pillar’s.pdf
Cloud Architecture Framework Pillar’s.pdfCloud Architecture Framework Pillar’s.pdf
Cloud Architecture Framework Pillar’s.pdf
Mohammed Fazuluddin
 
Implementing Generative AI and Machine Learning on GCP: Architectures, Use Ca...
Implementing Generative AI and Machine Learning on GCP: Architectures, Use Ca...Implementing Generative AI and Machine Learning on GCP: Architectures, Use Ca...
Implementing Generative AI and Machine Learning on GCP: Architectures, Use Ca...
Mohammed Fazuluddin
 
LEVERAGING AWS GENERATIVE AI: ARCHITECTURAL INSIGHTS AND REAL-WORLD IMPLEMENT...
LEVERAGING AWS GENERATIVE AI: ARCHITECTURAL INSIGHTS AND REAL-WORLD IMPLEMENT...LEVERAGING AWS GENERATIVE AI: ARCHITECTURAL INSIGHTS AND REAL-WORLD IMPLEMENT...
LEVERAGING AWS GENERATIVE AI: ARCHITECTURAL INSIGHTS AND REAL-WORLD IMPLEMENT...
Mohammed Fazuluddin
 
Basics of GraphQL : Unlocking the Power of GraphQL
Basics of GraphQL : Unlocking the Power of GraphQLBasics of GraphQL : Unlocking the Power of GraphQL
Basics of GraphQL : Unlocking the Power of GraphQL
Mohammed Fazuluddin
 
DOMAIN DRIVER DESIGN
DOMAIN DRIVER DESIGNDOMAIN DRIVER DESIGN
DOMAIN DRIVER DESIGN
Mohammed Fazuluddin
 
New Relic Basics
New Relic BasicsNew Relic Basics
New Relic Basics
Mohammed Fazuluddin
 
Terraform Basics
Terraform BasicsTerraform Basics
Terraform Basics
Mohammed Fazuluddin
 
Software architectural patterns - A Quick Understanding Guide
Software architectural patterns - A Quick Understanding GuideSoftware architectural patterns - A Quick Understanding Guide
Software architectural patterns - A Quick Understanding Guide
Mohammed Fazuluddin
 
Mule ESB - An Enterprise Service Bus
Mule ESB - An Enterprise Service BusMule ESB - An Enterprise Service Bus
Mule ESB - An Enterprise Service Bus
Mohammed Fazuluddin
 
Docker - A Quick Introduction Guide
Docker - A Quick Introduction GuideDocker - A Quick Introduction Guide
Docker - A Quick Introduction Guide
Mohammed Fazuluddin
 
Cassandra - A Basic Introduction Guide
Cassandra - A Basic Introduction GuideCassandra - A Basic Introduction Guide
Cassandra - A Basic Introduction Guide
Mohammed Fazuluddin
 
React JS - A quick introduction tutorial
React JS - A quick introduction tutorialReact JS - A quick introduction tutorial
React JS - A quick introduction tutorial
Mohammed Fazuluddin
 
Cloud Providers and Their Key Features Explained
Cloud Providers and Their Key Features ExplainedCloud Providers and Their Key Features Explained
Cloud Providers and Their Key Features Explained
Mohammed Fazuluddin
 
Database Performance Handling : A comprehensive guide
Database Performance Handling : A comprehensive guideDatabase Performance Handling : A comprehensive guide
Database Performance Handling : A comprehensive guide
Mohammed Fazuluddin
 
Design patterns Q&A | Important question and answers
Design patterns Q&A | Important question and answersDesign patterns Q&A | Important question and answers
Design patterns Q&A | Important question and answers
Mohammed Fazuluddin
 
Software-Requirements-to-System-Design Basics
Software-Requirements-to-System-Design BasicsSoftware-Requirements-to-System-Design Basics
Software-Requirements-to-System-Design Basics
Mohammed Fazuluddin
 
MEAN-vs-MERN-A-Developers-Guide and Explanation
MEAN-vs-MERN-A-Developers-Guide and ExplanationMEAN-vs-MERN-A-Developers-Guide and Explanation
MEAN-vs-MERN-A-Developers-Guide and Explanation
Mohammed Fazuluddin
 
Cloud AI Deployment Design Patterns - Learn the Basic Deployment Patterns
Cloud AI Deployment Design Patterns - Learn the Basic Deployment PatternsCloud AI Deployment Design Patterns - Learn the Basic Deployment Patterns
Cloud AI Deployment Design Patterns - Learn the Basic Deployment Patterns
Mohammed Fazuluddin
 
Auto-scaling-real-time-software-applications-and-best-practices.pdf
Auto-scaling-real-time-software-applications-and-best-practices.pdfAuto-scaling-real-time-software-applications-and-best-practices.pdf
Auto-scaling-real-time-software-applications-and-best-practices.pdf
Mohammed Fazuluddin
 
Java Version(v5 -v23) Features with sample code snippet
Java Version(v5 -v23) Features with sample code snippetJava Version(v5 -v23) Features with sample code snippet
Java Version(v5 -v23) Features with sample code snippet
Mohammed Fazuluddin
 
Cloud Architecture Framework Pillar’s.pdf
Cloud Architecture Framework Pillar’s.pdfCloud Architecture Framework Pillar’s.pdf
Cloud Architecture Framework Pillar’s.pdf
Mohammed Fazuluddin
 
Implementing Generative AI and Machine Learning on GCP: Architectures, Use Ca...
Implementing Generative AI and Machine Learning on GCP: Architectures, Use Ca...Implementing Generative AI and Machine Learning on GCP: Architectures, Use Ca...
Implementing Generative AI and Machine Learning on GCP: Architectures, Use Ca...
Mohammed Fazuluddin
 
LEVERAGING AWS GENERATIVE AI: ARCHITECTURAL INSIGHTS AND REAL-WORLD IMPLEMENT...
LEVERAGING AWS GENERATIVE AI: ARCHITECTURAL INSIGHTS AND REAL-WORLD IMPLEMENT...LEVERAGING AWS GENERATIVE AI: ARCHITECTURAL INSIGHTS AND REAL-WORLD IMPLEMENT...
LEVERAGING AWS GENERATIVE AI: ARCHITECTURAL INSIGHTS AND REAL-WORLD IMPLEMENT...
Mohammed Fazuluddin
 
Basics of GraphQL : Unlocking the Power of GraphQL
Basics of GraphQL : Unlocking the Power of GraphQLBasics of GraphQL : Unlocking the Power of GraphQL
Basics of GraphQL : Unlocking the Power of GraphQL
Mohammed Fazuluddin
 
DOMAIN DRIVER DESIGN
DOMAIN DRIVER DESIGNDOMAIN DRIVER DESIGN
DOMAIN DRIVER DESIGN
Mohammed Fazuluddin
 
New Relic Basics
New Relic BasicsNew Relic Basics
New Relic Basics
Mohammed Fazuluddin
 
Terraform Basics
Terraform BasicsTerraform Basics
Terraform Basics
Mohammed Fazuluddin
 
Software architectural patterns - A Quick Understanding Guide
Software architectural patterns - A Quick Understanding GuideSoftware architectural patterns - A Quick Understanding Guide
Software architectural patterns - A Quick Understanding Guide
Mohammed Fazuluddin
 
Mule ESB - An Enterprise Service Bus
Mule ESB - An Enterprise Service BusMule ESB - An Enterprise Service Bus
Mule ESB - An Enterprise Service Bus
Mohammed Fazuluddin
 
Docker - A Quick Introduction Guide
Docker - A Quick Introduction GuideDocker - A Quick Introduction Guide
Docker - A Quick Introduction Guide
Mohammed Fazuluddin
 
Cassandra - A Basic Introduction Guide
Cassandra - A Basic Introduction GuideCassandra - A Basic Introduction Guide
Cassandra - A Basic Introduction Guide
Mohammed Fazuluddin
 
React JS - A quick introduction tutorial
React JS - A quick introduction tutorialReact JS - A quick introduction tutorial
React JS - A quick introduction tutorial
Mohammed Fazuluddin
 
Ad

Recently uploaded (20)

Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!
PhilMeredith3
 
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdfHow to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
QuickBooks Training
 
Top 5 Task Management Software to Boost Productivity in 2025
Top 5 Task Management Software to Boost Productivity in 2025Top 5 Task Management Software to Boost Productivity in 2025
Top 5 Task Management Software to Boost Productivity in 2025
Orangescrum
 
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
SheenBrisals
 
Leveraging Foundation Models to Infer Intents
Leveraging Foundation Models to Infer IntentsLeveraging Foundation Models to Infer Intents
Leveraging Foundation Models to Infer Intents
Keheliya Gallaba
 
How Insurance Policy Management Software Streamlines Operations
How Insurance Policy Management Software Streamlines OperationsHow Insurance Policy Management Software Streamlines Operations
How Insurance Policy Management Software Streamlines Operations
Insurance Tech Services
 
Integrating Survey123 and R&H Data Using FME
Integrating Survey123 and R&H Data Using FMEIntegrating Survey123 and R&H Data Using FME
Integrating Survey123 and R&H Data Using FME
Safe Software
 
The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...
Prachi Desai
 
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI SearchAgentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Maxim Salnikov
 
FME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable InsightsFME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable Insights
Safe Software
 
Agile Software Engineering Methodologies
Agile Software Engineering MethodologiesAgile Software Engineering Methodologies
Agile Software Engineering Methodologies
Gaurav Sharma
 
Essentials of Resource Planning in a Downturn
Essentials of Resource Planning in a DownturnEssentials of Resource Planning in a Downturn
Essentials of Resource Planning in a Downturn
OnePlan Solutions
 
Artificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across IndustriesArtificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across Industries
SandeepKS52
 
Online Queue Management System for Public Service Offices [Focused on Municip...
Online Queue Management System for Public Service Offices [Focused on Municip...Online Queue Management System for Public Service Offices [Focused on Municip...
Online Queue Management System for Public Service Offices [Focused on Municip...
Rishab Acharya
 
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentricIntegration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Natan Silnitsky
 
Generative Artificial Intelligence and its Applications
Generative Artificial Intelligence and its ApplicationsGenerative Artificial Intelligence and its Applications
Generative Artificial Intelligence and its Applications
SandeepKS52
 
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The SequelMarketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
BradBedford3
 
COBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM CertificateCOBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM Certificate
VICTOR MAESTRE RAMIREZ
 
Micro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Micro-Metrics Every Performance Engineer Should Validate Before Sign-OffMicro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Micro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Tier1 app
 
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Safe Software
 
Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!
PhilMeredith3
 
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdfHow to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
QuickBooks Training
 
Top 5 Task Management Software to Boost Productivity in 2025
Top 5 Task Management Software to Boost Productivity in 2025Top 5 Task Management Software to Boost Productivity in 2025
Top 5 Task Management Software to Boost Productivity in 2025
Orangescrum
 
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
Eliminate the complexities of Event-Driven Architecture with Domain-Driven De...
SheenBrisals
 
Leveraging Foundation Models to Infer Intents
Leveraging Foundation Models to Infer IntentsLeveraging Foundation Models to Infer Intents
Leveraging Foundation Models to Infer Intents
Keheliya Gallaba
 
How Insurance Policy Management Software Streamlines Operations
How Insurance Policy Management Software Streamlines OperationsHow Insurance Policy Management Software Streamlines Operations
How Insurance Policy Management Software Streamlines Operations
Insurance Tech Services
 
Integrating Survey123 and R&H Data Using FME
Integrating Survey123 and R&H Data Using FMEIntegrating Survey123 and R&H Data Using FME
Integrating Survey123 and R&H Data Using FME
Safe Software
 
The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...
Prachi Desai
 
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI SearchAgentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Maxim Salnikov
 
FME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable InsightsFME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable Insights
Safe Software
 
Agile Software Engineering Methodologies
Agile Software Engineering MethodologiesAgile Software Engineering Methodologies
Agile Software Engineering Methodologies
Gaurav Sharma
 
Essentials of Resource Planning in a Downturn
Essentials of Resource Planning in a DownturnEssentials of Resource Planning in a Downturn
Essentials of Resource Planning in a Downturn
OnePlan Solutions
 
Artificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across IndustriesArtificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across Industries
SandeepKS52
 
Online Queue Management System for Public Service Offices [Focused on Municip...
Online Queue Management System for Public Service Offices [Focused on Municip...Online Queue Management System for Public Service Offices [Focused on Municip...
Online Queue Management System for Public Service Offices [Focused on Municip...
Rishab Acharya
 
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentricIntegration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Natan Silnitsky
 
Generative Artificial Intelligence and its Applications
Generative Artificial Intelligence and its ApplicationsGenerative Artificial Intelligence and its Applications
Generative Artificial Intelligence and its Applications
SandeepKS52
 
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The SequelMarketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
BradBedford3
 
COBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM CertificateCOBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM Certificate
VICTOR MAESTRE RAMIREZ
 
Micro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Micro-Metrics Every Performance Engineer Should Validate Before Sign-OffMicro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Micro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Tier1 app
 
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Safe Software
 

Rest API Security - A quick understanding of Rest API Security

  • 1. Rest API Security A Quick Introduction Of Rest API security Mohammed Fazuluddin
  • 2. Topics  Overview  Rest API Security Methods  Details Of Security Methods  Comparisons Oauth2, OpenId and SAML  Selection Of Rest API Security Method  Best Practices To Secure REST API’S
  • 3. Overview  Authentication is common way to handle security for all applications.  The basic keywords engaged in this process is “Authentication” and “Authorization”. Authentication can be defined as the process of verifying someone’s identity by using pre- required details (Commonly username and password).  Authorization is the process of allowing an authenticated user to access a specified resource (Ex:- right to access a file).  To secure the information which will be rendered in the client side then it should controlled be access the data with Authentication.  Currently lot of websites has integrated with security systems to protect their data from the hackers and to protect the data they should access the Rest API’s securely.
  • 4. Rest API Security Methods  Following are the commonly used Rest API security methods which can be used to protect the Rest API access from the hackers.  Cookie-Based authentication  Token-Based authentication  Third party access(OAuth, API-token)  OpenId  SAML
  • 5. Details Of Security Methods  Cookie based authentication:  has been the default method for handling user authentication for a long time.  The client posts the login credential to the server, server verifies the credential and creates session id which is stored in server(state-full) and returned to client via set-cookie.  On subsequent request the session id from the cookie is verified in the server and the request get processed.  Upon logout session id will be cleared from both client cookie and server.
  • 7. Details Of Security Methods  Token based authentication:  single page applications(SPA) and statelessness(RESTful API’s)of the application.  There are different ways to implement token based authentication, we will focusing on most commonly used JSON Web Token(JWT).  On receiving the credentials from client the server validates the credentials and generates a signed JWT which contains the user information. Note, the token will never get stored in server(stateless).  On subsequent request the token will be passed to server and gets verified(decoded) in the server. The token can be maintained at client side in local storage, session storage or even in cookies.
  • 9. Details Of Security Methods  Third party access(OAuth, API-token):  if we have a need to expose our API’s outside of our system like third party app or even to access it from mobile apps we end up in two common ways to share the user information.  Via API-token which is same as JWT token, where the token will be send via Authorization header which will get handled at API gateway to authenticate the user.  The other option is via Open Authentication(OAuth),OAuth is a protocol that allows an application to authenticate against server as a user.  The recommendation is to implement OAuth 1.0a or OAuth 2.0. OAuth 2.0 relies on HTTPS for security and it currently implemented by Google, Facebook, Twitter etc., OAuth 2 provides secured delegate access to a resource based on user..
  • 11. Details Of Security Methods  OpenId:  is HTTP based protocol that uses identity provider to validate a user.  The user password is secured with one identity provider, this allows other service providers a way to achieve Single SignOn(SSO) without requiring password from user.  There are many OpenId enabled account on the internet and organizations such as Google, Facebook, Wordpress, Yahoo, PayPal etc., uses OpenId to authenticate users.  The latest version of OpenId is OpenId Connect, which provides OpenId(authentication) on top of OAuth 2.0(authorization) for complete security solution.
  • 13. Details Of Security Methods  SAML:  Security assertion markup language makes use of the same Identity provider which we saw in OpenId, but it is XML based and more flexible.  The recommended version for SAML is 2.0. SAML also provides a way to achieve Single SignOn(SSO).  User can make use of the Identity provider URL to login into the system which redirects with XML data back to your application page which can then be decoded to get the user information.  We have SAML providers like G Suite, Office 365, OneLogin, Okta etc.,.
  • 16. Selection Of Rest API Security Method  If you have to support a web application only, either cookies or tokens are fine - for cookies think about XSRF, for JWT take care of XSS.  If you have to support both a web application and a mobile client, go with an API that supports token-based authentication.  If you are building APIs that communicate with each other, go with request signing.
  • 17. Best Practices To Secure REST API’S  Protect HTTP Methods:  RESTful APIs often use GET (read), POST (create), PUT (replace/update) and DELETE (to delete a record).Not all of these are valid choices for every single resource collection, user, or action.  Make sure the incoming HTTP method is valid for the session token/API key and associated resource collection, action, and record.  Protect HTTP Methods:  It is common with RESTful services to allow multiple methods for a given URL for different operations on that entity.For example, a GET request might read the entity, while PUT would update an existing entity, POST would create a new entity, and DELETE would delete an existing entity.
  • 18. Best Practices To Secure REST API’S  Protect Privileged Actions and Sensitive Resource Collections:  The session token or API key should be sent along as a cookie or body parameter to ensure that privileged collections or actions are properly protected from unauthorized use.  Protect Against Cross-Site Request Forgery:  For resources exposed by RESTful web services, it's important to make sure any PUT, POST, and DELETE request is protected from Cross-Site Request Forgery.  Typically, one would use a token-based approach. CSRF is easily achieved — even using random tokens — if any XSS exists within your application, so please make sure you understand how to prevent XSS.
  • 19. Best Practices To Secure REST API’S  URL Validations:  Web applications/web services use input from HTTP requests (and occasionally files) to determine how to respond.  Attackers can tamper with any part of an HTTP request, including the URL, query string, headers, cookies, form fields, and hidden fields, to try to bypass the site’s security mechanisms.  XML Input Validation:  XML-based services must ensure that they are protected against common XML-based attacks by using secure XML-parsing.  This typically means protecting against XML External Entity attacks, XML-signature wrapping, etc.
  • 20. Best Practices To Secure REST API’S  Security Headers:  To make sure the content of a given resource is interpreted correctly by the browser, the server should always send the Content-Type header with the correct Content-Type, and the Content-Type header should preferably include a charset.  The server should also send an X-Content-Type-Options: nosniff to make sure the browser does not try to detect a different Content-Type than what is actually sent (as this can lead to XSS).  JSON Encoding:  A key concern with JSON encoders is preventing arbitrary JavaScript remote code execution within the browser... or, if you're using Node.js, on the server.  It's vital that you use a proper JSON serializer to encode user-supplied data properly to prevent the execution of user-supplied input on the browser.
  • 21. THANKS If you feel that it is helpful and worthy to share with others then please like and share the same.