API Security Checklist
These are some security best practices that I have gathered for my myself.
- Don’t use basic authentication unless over a secure connection (HTTPS). Authentication tokens must not be transmitted in the URL
- Tokens must be transmitted using the Authorization header on every request: Authorization:
- Make token expiration (TTL, RTTL) as short as possible
- Reject any non-TLS requests by not responding to any HTTP request to avoid any insecure data exchange.
- Consider Rate Limiting.
- Setting HTTP headers appropriately
- Your API should convert the received data to their canonical form or reject them
- All the data exchanged with the REST API must be validated by the API
- Serialize your JSON.
- Validate the content-type
- Use standard authentication (e.g. JWT, OAuth).
- Use Max Retry and jail features in Login
- Use a random complicated key (JWT Secret) to make brute-forcing the token very hard.
- Validate redirect_uri server-side to allow only whitelisted URLs.
- Use state parameter with a random hash to prevent CSRF
- Use a CDN for file uploads.
- If you are dealing with huge amount of data, use Workers and Queues to process as much as possible in background and return response fast to avoid HTTP Blocking.
- Do not forget to turn the DEBUG mode OFF.