/var/logmarcus chiu

API - Security

Created on · Last Modified on

related to: Authentication - Authorization - Accounting - Auditing - Delegation - Consent

API Security Layer

Description

Post-Login Attacks

Pre-Login Attacks
  • Authentication Service Attacks - credential stuffing, fuzzing, stolen cookies and tokens

Foundational API Security
  • Access Control - tokens, Authentication, Authorization
  • Rate Limiting - client throttling, quotas
  • Network Privacy - TLS

API Credential Types

API Credential Type

Description

Where it is Passed (normally)

Basic Access Authentication

is a method in which the user agent provides a user name and password when making a specific request

HTTP Authorization Header:

Token-Based Authentication

is a method that allow users to enter their username and password in order to obtain a token which allows them to make a specific request - without using their username and password. Once their token has been obtained, the user can offer the token - which offers access to a specific resource for a time period - to the remote site

HTTP Authorization Header:

  • Bearer Scheme - credentials in a form of a token

in practice Credentials show up in all sorts of places:

  • HTTP Authorization Header
  • HTTP Custom Header
  • HTTP Request Body
  • HTTP Query String

API Security Resources