DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Enterprise AI Trend Report: Gain insights on ethical AI, MLOps, generative AI, large language models, and much more.

2024 Cloud survey: Share your insights on microservices, containers, K8s, CI/CD, and DevOps (+ enter a $750 raffle!) for our Trend Reports.

PostgreSQL: Learn about the open-source RDBMS' advanced capabilities, core components, common commands and functions, and general DBA tasks.

AI Automation Essentials. Check out the latest Refcard on all things AI automation, including model training, data security, and more.

Related

  • API Governance: Ensuring Control and Compliance in the Era of Digital Transformation
  • 10 Commandments of API-First Development
  • Secure Your API With JWT: Kong OpenID Connect
  • Don't Just Let It iPaaS: How To Get More Out of Your Digital Transformation

Trending

  • Modern Python: Patterns, Features, and Strategies for Writing Efficient Code (Part 1)
  • JUnit, 4, 5, Jupiter, Vintage
  • Securing Cloud Infrastructure: Leveraging Key Management Technologies
  • Using My New Raspberry Pi To Run an Existing GitHub Action
  1. DZone
  2. Data Engineering
  3. Databases
  4. Secure Your API With These 16 Practices With Apache APISIX (Part 2)

Secure Your API With These 16 Practices With Apache APISIX (Part 2)

Last week, we listed 16 practices to help secure one's APIs and described how to implement them with Apache APISIX. This week, we will look at the remaining practices.

By 
Nicolas Fränkel user avatar
Nicolas Fränkel
DZone Core CORE ·
Mar. 04, 24 · Analysis
Like (1)
Save
Tweet
Share
1.9K Views

Join the DZone community and get the full member experience.

Join For Free

Last week, we listed 16 practices to help secure one's APIs and described how to implement them with Apache APISIX.

  1. Authentication: Verifies the identity of users accessing APIs.
  2. Authorization: Determines permissions of authenticated users.
  3. Data Redaction: Obscures sensitive data for protection.
  4. Encryption: Encodes data so only authorized parties can decode it.
  5. Error Handling: Manages responses when things go wrong, avoiding revealing sensitive info.
  6. Input Validation and Data Sanitization: Checks input data and removes harmful parts.
  7. Intrusion Detection Systems: Monitor networks for suspicious activities.
  8. IP Whitelisting: Permits API access only from trusted IP addresses.
  9. Logging and Monitoring: Keeps detailed logs and regularly monitors APIs.
  10. Rate Limiting: Limits user requests to prevent overload.
  11. Secure Dependencies: Ensures third-party code is free from vulnerabilities.
  12. Security Headers: Enhances site security against types of attacks like XSS.
  13. Token Expiry: Regularly expiring and renewing tokens prevents unauthorized access.
  14. Use of Security Standards and Frameworks: Guides your API security strategy.
  15. Web Application Firewall: Protects your site from HTTP-specific attacks.
  16. API Versioning: Maintains different versions of your API for seamless updates.

This week, we will look at the remaining practices.

Encryption and Data Redaction

First, we must protect the communication channel between our APIs and clients from unwanted reads and writes. That's the realm of TLS. In this regard, mutual TLS is state-of-the-art. Please read this previous post about mTLS in Apache APISIX.

I can't guess what the author meant by "Obscures sensitive data for protection." If data exchanges are encrypted, it doesn't make sense to obfuscate any payload.

Error Handling

The list mentions avoiding revealing sensitive info when an error happens. Indeed, some poorly coded upstreams can disclose such data. Here's an example of Tomcat when developers forgot to configure an error page:

It reveals the upstream's technology, version, and guilty code.

Apache APISIX can intercept such a response and rewrite it:

YAML
 
routes:
  - upstream_id: 1
    plugins:
      response-rewrite:
        vars: [[ "status","==",500 ]]                        #1
        body: { "error" : "An unknown exception happened"}   #2


  1. Triggered only in case of HTTP status code 500 returned by the upstream. You can add additional status codes if necessary.
  2. The body to return

To make sure the above configuration is applied consistently, we can also make it a global rule:

YAML
 
global_rules:
  - id: 1
    plugins:
      response-rewrite:
        vars: [[ "status","==",500 ]]
        body: { "error" : "An unknown exception happened"}


Security Headers

The OWASP lists plenty of HTTP Headers you can set to improve the security of your web apps and APIs. Apache APISIX provides two dedicated plugins for specific security risks:

  • CORS
  • CSRF

For any other header, you can use the more generic response-rewrite plugin to add them. Finally, we can remove default HTTP response headers, such as Server, to make targeted attacks less likely.

YAML
 
global_rules:                               #1
  - id: 1
    plugins:
      response-rewrite:
        headers:
          set:
            X-Content-Type-Options: nosniff #2
          remove:
            - Server                        #3


  1. Do on every route: security by default! It still can be overridden on a per-route basis, in case of need
  2. Tell the browser not to infer the content type if it's not explicitly set
  3. Don't advertise the server

WAF and API Versioning

I've addressed these two points in previous posts:

  • Hardening Apache APISIX with the OWASP's Coraza and Core Ruleset
  • API Versioning

In short, Apache APSIX allows embedding the Coraza WAF as a Rust plugin.

On the versioning side, one can choose three different approaches: path-based, query parameter-based, and header-based. APISIX supports all of them.

Other Items

The remaining items are:

  • Intrusion Detection Systems
  • Secure Dependencies
  • Use of Security Standards and Frameworks

I'm afraid that APISIX cannot help with any of them. You need to address them on the upstream side.

Conclusion

In this two-post series, I've addressed most of the 16 practices to secure APIs with Apache APISIX. While I don't claim the list is exhaustive, it's a solid basis to improve the security of one's system.

API security

Published at DZone with permission of Nicolas Fränkel, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • API Governance: Ensuring Control and Compliance in the Era of Digital Transformation
  • 10 Commandments of API-First Development
  • Secure Your API With JWT: Kong OpenID Connect
  • Don't Just Let It iPaaS: How To Get More Out of Your Digital Transformation

Partner Resources


Comments

ABOUT US

  • About DZone
  • Send feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: