Name: API-Security-Checklist
Owner: Shieldfy
Description: Checklist of the most important security countermeasures when designing, testing, and releasing your API
Created: 2017-07-08 20:01:38.0
Updated: 2018-01-19 11:50:52.0
Pushed: 2018-01-11 17:52:58.0
Size: 237
Language: null
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
??? | ??? | Português (Brasil) | Français | ??? | Nederlands | Indonesia | ??? | ??????? | ?????????? | Español | Italiano | ??? | Deutsch | Türkçe | Ti?ng Vi?t | ?????? | ????? | ??????? | Polski | ?????????? | ???
Checklist of the most important security countermeasures when designing, testing, and releasing your API.
Basic Auth
Use standard authentication (e.g. JWT, OAuth).Authentication
, token generation
, password storage
. Use the standards.Max Retry
and jail features in Login.JWT Secret
) to make brute forcing the token very hard.HS256
or RS256
).TTL
, RTTL
) as short as possible.redirect_uri
server-side to allow only whitelisted URLs.response_type=token
).state
parameter with a random hash to prevent CSRF on the OAuth authentication process.HSTS
header with SSL to avoid SSL Strip attack.GET (read)
, POST (create)
, PUT/PATCH (replace/update)
, and DELETE (to delete a record)
, and respond with 405 Method Not Allowed
if the requested method isn't appropriate for the requested resource.content-type
on request Accept header (Content Negotiation) to allow only your supported format (e.g. application/xml
, application/json
, etc) and respond with 406 Not Acceptable
response if not matched.content-type
of posted data as you accept (e.g. application/x-www-form-urlencoded
, multipart/form-data
, application/json
, etc).XSS
, SQL-Injection
, Remote Code Execution
, etc).credentials
, Passwords
, security tokens
, or API keys
) in the URL, but use standard Authorization header.Quota
, Spike Arrest
, Concurrent Rate Limit
) and deploy APIs resources dynamically./me/orders
instead of /user/654321/orders
.UUID
instead.XXE
(XML external entity attack).Billion Laughs/XML bomb
via exponential entity expansion attack.X-Content-Type-Options: nosniff
header.X-Frame-Options: deny
header.Content-Security-Policy: default-src 'none'
header.X-Powered-By
, Server
, X-AspNet-Version
etc.content-type
for your response, if you return application/json
then your response content-type
is application/json
.credentials
, Passwords
, security tokens
.200 OK
, 400 Bad Request
, 401 Unauthorized
, 405 Method Not Allowed
, etc).Feel free to contribute by forking this repository, making some changes, and submitting pull requests. For any questions drop us an email at team@shieldfy.io
.