We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
SEVEN things about API security - Philippe De Ryck - NDC Oslo 2024
Learn essential API security practices including authorization, rate limiting, DTO usage, and SSRF protection. Get practical tips to safeguard your APIs from common attacks.
- Authorization is consistently one of the biggest API security challenges, particularly broken object-level authorization (BOLA) which allows attackers to access unauthorized resources
- Use Data Transfer Objects (DTOs) to explicitly control what data is exposed through APIs rather than directly exposing model/database objects
- Implement rate limiting on sensitive endpoints to prevent brute force and enumeration attacks
- Avoid username enumeration vulnerabilities by returning consistent error messages whether a user exists or not
-
For Server-Side Request Forgery (SSRF) protection:
- Parse URLs only once to avoid ambiguity
- Validate hostnames against allowlists
- Isolate URL fetching functionalities in separate services
- Centralize authorization logic rather than spreading it throughout the codebase
- Make authorization policies auditable and testable
- Use role-based access control (RBAC) with permissions as an intermediary layer between roles and endpoints
- Add integrity checks to sensitive parameters in URLs using signed tokens
- Don’t rely solely on perimeter security - implement proper authorization checks even for internal services