Before we look into tips & techniques to design security for your Public APIs, lets understand what do we mean by Public APIs? Public APIs are APIs that are published to the world including developers, or partners’ developers to create their custom application by making use of APIs. These APIs can be used by another program, mobile apps or web applications (Web UI), desktop client etc.
Following are some tips/techniques for designing security for your Public APIs:
- IP Address Restrictions: To be able to control access to APIs based on IP address from which request arrived, the IP address restrictions policy should be imposed. This is very handy when the business decides to ban one or all the user requests coming from an IP address or a range of IP addresses. This can be used to allow users coming from a range of IP address (trusted IP address list) and disallow users from other range of IP address. It is highly recommended to implement this security design. User profile shall be designed in a way such that it can get be associated with IP based restrictions.
- Two-factor Authentication: Two factor authentication would lead to API password made up of two parts. One part is the password set by the user and the other part can be system generated time-based token. For example, if the user set password is vit0lf1ux and the system generated token in BcAa1ito3, the API password would then become “vit0lf1uxBcAa1ito3”. The system generated time-based token can be reset by the users from time to time, or could be reset whenever user changes their password. On reset, the system generated password can be sent to user’s email. And, any further API requests will only be allowed with the new password appended with new system generated password (two-factor). This leads to greater security as the system generated password is difficult to be hacked.
- Access Control: Access control should be implemented in the way that API requests should be evaluated for read, write or read-write permission before the request can be executed.
- Global API-Enabled Permission: It would be nice to implement a global API-enabled permission such that a change in api-enabled flag from true to false can block the access to APIs for all the requests coming from users belonging to a particular group or organization.
- Time-based restrictions: One can also implement the time-based restrictions for API requests to be allowed only in certain time period of the day. The time-based restrictions can be associated with the user profiles and the API request coming from that particular set of users should be allowed only if it fell into the permitted time period of the day.
- Limited Queries: User profile should be associated with a configuration such as number of queries allowed with a time period such as a day or so. This can prove very useful from security perspective.