secure your rest api (the right way)
DESCRIPTION
We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.TRANSCRIPT
Les Hazlewood @lhazlewoodApache Shiro PMC Chair
CTO, Stormpathstormpath.com
Secure your REST API
(the right way)
.com• User Management and
Authentication API• Security for your applications• User security workflows• Security best practices• Developer tools, SDKs, libraries
HTTP Authentication...
1. RequestGET /accounts/x2b4jX3l31uiL HTTP/1.1Host: api.acme.com
Learn more at Stormpath.com
2. Challenge ResponseHTTP/1.1 401 UnauthorizedWWW-Authenticate: Basic realm=“name”
Learn more at Stormpath.com
3. Resubmit RequestGET /accounts/x2b4jX3l31uiL HTTP/1.1Host: api.acme.comAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Learn more at Stormpath.com
Authorization Header Format
GET /accounts/x2b4jX3l31uiL HTTP/1.1Host: api.acme.comAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Scheme Name Scheme-specific Value
sp
Learn more at Stormpath.com
4. Successful ResponseHTTP/1.1 200 OKContent-Type: application/json...
{ “email”: “[email protected]”, “givenName”: “Joe”, “surname”: Smith”, ...}
Learn more at Stormpath.com
Example: Oauth 1.0aGET /accounts/1234 HTTP/1.1Host: api.acme.comAuthorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"
Learn more at Stormpath.com
Example: Oauth 2GET /accounts/x2b4jX3l31uiL HTTP/1.1Host: api.acme.comAuthorization: Bearer mF_9.B5f-4.1JqM
Learn more at Stormpath.com
Example: Oauth 2 MACGET /accounts/x2b4jX3l31uiL HTTP/1.1Host: api.acme.comAuthorization: MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE="
Learn more at Stormpath.com
Ok, now that’s out of the way
• Please avoid Basic Authc if you can.
• Favor HMAC-SHA256 digest algorithms over bearer token algorithms
• Use Oauth 1.0a or Oauth 2 (preferably MAC)
• Only use a custom scheme if you really, really know what you’re doing.
Learn more at Stormpath.com
401 vs 403• 401 “Unauthorized” really means
Unauthenticated
“You need valid credentials for me to respond to this request”
• 403 “Forbidden” really means Unauthorized
“I understood your credentials, but so sorry, you’re not allowed!”
Learn more at Stormpath.com
HTTP Authorization• After authc, perform authz• Filter requests before invoking MVC
layer • Blanket security policies• Per-URI customization
Learn more at Stormpath.com
HTTP Authorization: OAuth• OAuth is an authorization protocol,
NOT an authentication or SSO protocol.• “Can I see User X’s email address
please?” NOT:• “I want to authenticate User X w/ this
username and password”
• People still try to use OAuth for authentication (OpenId Connect)
Learn more at Stormpath.com
HTTP Authorization: OAuth• When OAuth 2 is a good fit:• If your REST clients do NOT own the
data they are attempting to read
• When Oauth 2 isn’t as good of a fit:• If your REST client owns the data it is
reading• Could still be fine if you’re willing to
incur some additional overheadLearn more at Stormpath.com
HTTP Authorization: JWT• JWT = JSON Web Token
• Very new spec, but clean & simple
• JWTs can be digitally signed and/or encrypted, and are URL friendly.
• Can be used as Bearer Tokens and for SSO
Learn more at Stormpath.com
API Keys, Not Passwords• Entropy• Independence• Speed• Reduced Exposure• Traceability• Rotation
Learn more at Stormpath.com
API Keys cont’d• Authenticate every request• Encrypt API Key secret values at rest.• Avoid Sessions (not RESTful)• Authc every request + no sessions =
no XSRF attacks
Learn more at Stormpath.com
Identifiers/accounts/x2b4jX3l31uiL
Good
Not So Good/accounts/1234
Why?
Learn more at Stormpath.com
Identifiers• Should be opaque• Secure Random or Random/Time
UUID• URL-friendly ‘Base62’ encoding• Avoid sequential numbers:• distribute ID generation load• mitigate fusking attacks
Learn more at Stormpath.com
Query Injection
Vulnerable URL:foo.com/accounts?acctId=‘ or ‘1’=‘1
String query = “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”;
Solution• Use Parameterized Query API (Prepared
Statements).• If not available, escape special chars
Learn more at Stormpath.com
Redirects and Forwards
• Avoid redirects and forwards if possible
• If used, validate the value and ensure authorized for the current user.
foo.com/redirect.jsp?url=evil.comfoo.com/whatever.jsp?fwd=admin.jsp
Learn more at Stormpath.com
TLS• Use TLS for everything• Once electing to TLS:– Never revert– Never switch back and forth
• Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies
• Backend/infrastructure connections use TLS too
Learn more at Stormpath.com
TLS Cont’d• Configure your SSL provider to only support
strong (FIPS 140-2 compliant) algorithms• Use Cipher Suites w/ Perfect Forward
Secrecy!–e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256
• Keep your TLS certificates valid• But beware, TLS isn’t foolproof– App-level encryption + TLS for most secure
results
Learn more at Stormpath.com
Configuration• CI: Security Testing• Security Patches• Regularly scan/audit• Same config in Dev, Prod, QA* – (Docker is great for this!)
• Externalize passwords/credentials
* Except credentials of course
Learn more at Stormpath.com
Storage• Sensitive data encrypted at rest• Encrypt offsite backups• Strong algorithms/standards• Strong encryption keys and key mgt• Strong password hashing• External key storage• Encrypted file system (e.g. eCryptfs)
Learn more at Stormpath.com
Thank You!• [email protected]• Twitter: @lhazlewood• https://stormpath.com
Learn more at Stormpath.com
.com• Free for developers• Eliminate months of development• Automatic security best practices
Sign Up Now: Stormpath.com
Learn more at Stormpath.com