SEVEN things about API security - Philippe De Ryck - NDC Oslo 2024

Learn essential API security practices including authorization, rate limiting, DTO usage, and SSRF protection. Get practical tips to safeguard your APIs from common attacks.

Key takeaways
  • Authorization is consistently one of the biggest API security challenges, particularly broken object-level authorization (BOLA) which allows attackers to access unauthorized resources
  • Use Data Transfer Objects (DTOs) to explicitly control what data is exposed through APIs rather than directly exposing model/database objects
  • Implement rate limiting on sensitive endpoints to prevent brute force and enumeration attacks
  • Avoid username enumeration vulnerabilities by returning consistent error messages whether a user exists or not
  • For Server-Side Request Forgery (SSRF) protection:
    • Parse URLs only once to avoid ambiguity
    • Validate hostnames against allowlists
    • Isolate URL fetching functionalities in separate services
  • Centralize authorization logic rather than spreading it throughout the codebase
  • Make authorization policies auditable and testable
  • Use role-based access control (RBAC) with permissions as an intermediary layer between roles and endpoints
  • Add integrity checks to sensitive parameters in URLs using signed tokens
  • Don’t rely solely on perimeter security - implement proper authorization checks even for internal services