| Full disclosure, I work for an auth provider, FusionAuth, which generates tokens which are often used as authentication for APIs. I was pretty disappointed by this article. I was part of a webinar on API security last year and that was deeper than this ( https://www.youtube.com/watch?v=W3-UH5A3Y8Y ) and it was a webinar :) . The article did a good job of talking about the risks of API security, but other than a passing mention of OWASP and authentication (what does MFA with APIs even look like?) it didn't dive deep. Things to think about when securing your APIs: - OWASP API Top 10 is a great starting point: https://owasp.org/www-project-api-security/ even though it hasn't been updated since 2019. - Think about rate limiting, which requires you to understand your typical usage. You will have to tune this. - Prefer token based solutions for authentication rather than API keys. API keys are easier to understand and implement, but tokens are self-expiring and can contain more information. OAuth2 is the go-to standard for this, but even a custom token solution is better than API keys (looking at you AWS: https://www.youtube.com/watch?v=tPr1AgGkvc4 ) - Build in defense in depth. If you can lock down access at the network level, do so. Use granular permissions. Build in auditability so that you know which users made which requests. - Educate the business on the risks. The article had some good examples. It's not just about PII being lost, it's also about access being denied and even public information being scraped in an unintentional manner. |