CORE_KERNEL_STDOUT
tty0
GLOBAL_THREAT_FEED
eth0/rx
SECURITY_AUDIT
pts/0
NETWORK_TRAFFIC
pts/1
SYSTEM_METRICS
pts/2
SSH_DAEMON_AUTH
tty5
FIREWALL_LOGS
pts/3
DEPLOYMENTSSECURITYSTACKLOGSMANIFESTCORE
HomeWorkLabStackLogs
MANIFEST_SYNC: 0%
← BACK_TO_CENTRAL_LOG
[LOG_ID] #CMP3QWHS[TIMESTAMP] 2024.03.20 00:00:00[AUTHOR] BULINDEV ADMIN

Building Secure REST APIs: A Practical Guide

Comprehensive guide to API security covering authentication, authorization, rate limiting, and common vulnerabilities.

BUILDING SECURE REST APIS: A PRACTICAL GUIDE

INTRODUCTION

APIs are the backbone of modern applications, making their security critical. This guide covers essential security practices for REST APIs.

AUTHENTICATION

1. JWT IMPLEMENTATION 

CODE_BLOCK // JAVASCRIPT
const jwt = require('jsonwebtoken');

function generateToken(user) {
  return jwt.sign(
    { id: user.id, role: user.role },
    process.env.JWT_SECRET,
    { expiresIn: '1h', algorithm: 'HS256' }
  );
}

function verifyToken(req, res, next) {
  const token = req.headers.authorization?.split(' ')[1];
  
  if (!token) {
    return res.status(401).json({ error: 'No token provided' });
  }
  
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    req.user = decoded;
    next();
  } catch (error) {
    return res.status(401).json({ error: 'Invalid token' });
  }
}

2. API KEY MANAGEMENT 

CODE_BLOCK // JAVASCRIPT
async function validateApiKey(req, res, next) {
  const apiKey = req.headers['x-api-key'];
  
  if (!apiKey) {
    return res.status(401).json({ error: 'API key required' });
  }
  
  const hashedKey = crypto
    .createHash('sha256')
    .update(apiKey)
    .digest('hex');
  
  const valid = await db.apiKeys.findOne({ hash: hashedKey });
  
  if (!valid) {
    return res.status(401).json({ error: 'Invalid API key' });
  }
  
  next();
}

AUTHORIZATION

ROLE-BASED ACCESS CONTROL (RBAC) 

CODE_BLOCK // JAVASCRIPT
function requireRole(...roles) {
  return (req, res, next) => {
    if (!req.user || !roles.includes(req.user.role)) {
      return res.status(403).json({ error: 'Insufficient permissions' });
    }
    next();
  };
}

// Usage
app.delete('/api/users/:id', 
  verifyToken, 
  requireRole('admin'), 
  deleteUser
);

RATE LIMITING 

CODE_BLOCK // JAVASCRIPT
const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per windowMs
  message: 'Too many requests, please try again later',
  standardHeaders: true,
  legacyHeaders: false,
});

app.use('/api/', limiter);

INPUT VALIDATION 

CODE_BLOCK // JAVASCRIPT
const { body, validationResult } = require('express-validator');

app.post('/api/users',
  body('email').isEmail().normalizeEmail(),
  body('password').isLength({ min: 8 }).matches(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/),
  body('name').trim().isLength({ min: 2, max: 50 }),
  (req, res) => {
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
      return res.status(400).json({ errors: errors.array() });
    }
    // Process request
  }
);

CORS CONFIGURATION 

CODE_BLOCK // JAVASCRIPT
const cors = require('cors');

app.use(cors({
  origin: process.env.ALLOWED_ORIGINS.split(','),
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true,
  maxAge: 86400
}));

SECURITY HEADERS 

CODE_BLOCK // JAVASCRIPT
const helmet = require('helmet');

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      scriptSrc: ["'self'"],
      imgSrc: ["'self'", "data:", "https:"],
    },
  },
  hsts: {
    maxAge: 31536000,
    includeSubDomains: true,
    preload: true
  }
}));

ERROR HANDLING 

CODE_BLOCK // JAVASCRIPT
app.use((err, req, res, next) => {
  // Log error details internally
  console.error(err.stack);
  
  // Send generic error to client
  res.status(err.status || 500).json({
    error: process.env.NODE_ENV === 'production' 
      ? 'Internal server error' 
      : err.message
  });
});

LOGGING AND MONITORING 

CODE_BLOCK // JAVASCRIPT
const winston = require('winston');

const logger = winston.createLogger({
  level: 'info',
  format: winston.format.json(),
  transports: [
    new winston.transports.File({ filename: 'error.log', level: 'error' }),
    new winston.transports.File({ filename: 'combined.log' })
  ]
});

// Log all requests
app.use((req, res, next) => {
  logger.info({
    method: req.method,
    path: req.path,
    ip: req.ip,
    userAgent: req.get('user-agent')
  });
  next();
});

CONCLUSION

API security is multi-layered: authentication, authorization, validation, rate limiting, and monitoring all work together to create a secure system.

DOCUMENT_INTEGRITY_VERIFIED_BY_INFRA_ENGINE_V1