SEVEN things about API security - Philippe De Ryck - NDC Oslo 2024

Philippe De Ryck

Learn essential API security practices including authorization, rate limiting, DTO usage, and SSRF protection. Get practical tips to safeguard your APIs from common attacks.

Key takeaways
  • Authorization is consistently one of the biggest API security challenges, particularly broken object-level authorization (BOLA) which allows attackers to access unauthorized resources
  • Use Data Transfer Objects (DTOs) to explicitly control what data is exposed through APIs rather than directly exposing model/database objects
  • Implement rate limiting on sensitive endpoints to prevent brute force and enumeration attacks
  • Avoid username enumeration vulnerabilities by returning consistent error messages whether a user exists or not
  • For Server-Side Request Forgery (SSRF) protection:
    • Parse URLs only once to avoid ambiguity
    • Validate hostnames against allowlists
    • Isolate URL fetching functionalities in separate services
  • Centralize authorization logic rather than spreading it throughout the codebase
  • Make authorization policies auditable and testable
  • Use role-based access control (RBAC) with permissions as an intermediary layer between roles and endpoints
  • Add integrity checks to sensitive parameters in URLs using signed tokens
  • Don’t rely solely on perimeter security - implement proper authorization checks even for internal services