What is API security?

Much of the modern Internet relies on APIs to function. API security is the process of protecting APIs from attacks and data breaches.

Learning Objectives

After reading this article you will be able to:

  • Understand common API security threats
  • Explain API authentication and authorization
  • Describe techniques for keeping APIs secure

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is API security?

An application programming interface (API) is a way for one piece of software to interact with another piece of software. If a program or application has an API, external clients can request services from it.

API security is the process of protecting APIs from attacks. Just as applications, networks, and servers can be subject to attack, APIs can fall victim to a number of different threats.

API security is a core component of web application security. Most modern web applications rely on APIs to function, and APIs introduce additional risk to an application by allowing outside parties to access it. One comparison is a business that opens its office to the public: having more people on the premises, some of whom may be unknown to the business's employees, introduces greater risk. Similarly, an API allows outsiders to use a program, introducing more risk to the API service's infrastructure.

What are some common API security risks?

  • Vulnerability exploits: A vulnerability exploit is when an attacker sends specially crafted data at a target, data that takes advantage of a flaw in the target's construction. These flaws, known as "vulnerabilities," can give the attacker various forms of unintended access to an API or its corresponding application. The Open Web Application Security Project (OWASP) maintains a list of the top 10 API vulnerabilities, such as SQL injection, security misconfiguration, and others. If an exploit targets a vulnerability that was previously unknown, this is called a zero-day threat — such threats are extremely difficult to stop.
  • Authentication-based attacks: Clients need to authenticate before they can make API requests so that the API server does not accept requests from unknown or illegitimate sources. There are several ways to do this, but each way is subject to compromise. For instance, an attacker could obtain a legitimate client's credentials, steal an API key, or intercept and use an authentication token.
  • Authorization errors: Authorization determines the level of access each user has. If authorization is not carefully managed, an API client may have access to data that should not be available to them, increasing the chance of a data breach.
  • DoS and DDoS attacks: Too many requests directed at an API can slow or halt service for other clients. Some attackers will direct a glut of requests at an API on purpose in a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack.

API security strategies can help mitigate these and other risks.

Strong authentication and authorization measures help ensure that data is not leaked and only authorized clients make API requests. DDoS protection and rate limiting can shut down DDoS attacks. Schema validation and the use of a web application firewall (WAF) can block vulnerability exploits.

How do rate limiting and DDoS mitigation help protect APIs?

Rate limiting puts a cap on how often someone can repeat an action within a certain timeframe. If an API client exceeds the number of allowed requests, rate limiting will discard or block further requests from them for a period of time.

DDoS mitigation helps stop DoS and DDoS attacks. In a DDoS attack, an attacker tries to overwhelm an API with a lot of requests in a short amount of time. Often these requests come from multiple different sources.

Rate limiting and DDoS mitigation are crucial for APIs for a couple of reasons:

  1. Stopping DoS and DDoS attacks. By blocking or dropping the extra requests, rate limiting and DDoS mitigation protect the API from becoming overwhelmed. Rate limiting alone may not stop low and slow DDoS attacks, but DDoS mitigation can absorb the extra traffic regardless.
  2. Outside of intentional attacks, some clients may simply use an API too much. This costs the API service in terms of compute power, and it could slow service for other clients. Rate limiting helps prevent the API server from becoming overloaded.

How are vulnerability exploits blocked?

For a vulnerability exploit to work, the malicious API requests must be structured in such a way that it causes the API to respond in a way its architects did not intend. There are several ways that API developers can block such malicious requests. Two of the most important to know are:

  1. Schema validation
  2. WAF rules

Schema validation

An API's schema describes an API's expected behavior: the kind of requests it should get and the kind of responses it should provide. Invalid requests that do not conform to this schema can cause an API to behave in unexpected ways, potentially resulting in a data leak. Schema validation identifies invalid requests and responses. By blocking invalid responses, API developers can avoid some types of attacks and help prevent data leaks.

Web application firewall (WAF) rules

A WAF works like a traditional firewall in that it blocks some network requests and responses and allows others through. It does this based on a set of rules: if a request or a response violates a rule, or conforms to a rule, it is blocked. A WAF is deployed in front of an API or a web application, and it monitors HTTP traffic.

It is possible to set up WAF rules that block request and response patterns that target a vulnerability. WAF rules can also block requests from certain IP addresses, which helps stop bot attacks and other attackers.

Why are authentication and authorization so important for API security?

Authentication ensures that API requests come from a legitimate source. Authorization lets the API server know if the requesting client is authorized to obtain requested data.

Suppose Alice constructs an API and Bob builds a web application that uses Alice's API. When Bob's application sends an API request to Alice's API, he attaches a label that reads "this is from Bob" to the request. This authenticates Bob's request so that Alice's API server knows to treat the request as legitimate.

Alice's API server also checks what privileges Bob has. If Bob's request is for data that Alice's API has labeled "Bob can see this," the server fulfills the request. However, Alice's API may have a section of data labeled "not for Bob," and the server should not fulfill a request for that data when Bob is the requester. This is why authorization is important.

(In reality, Bob would attach a key or some other form of authentication to API requests, not just a label that says "this is from Bob.")

There are several authentication methods for APIs. The most common ones are:

1. API key

The client is assigned a key — a unique string of characters that only they and the API service know. The key is attached to each API request. The API server checks for the key when it receives an API request to make sure it is from an authenticated client.

The downside of this authentication method is that if the key is stolen, an attacker can use it to impersonate a legitimate client and can then carry out a variety of attacks. It is important to encrypt requests and responses to and from an API using an encryption protocol like Transport Layer Security (TLS) — that way, the key is not exposed in plaintext as it crosses the Internet.

2. Username and password

API requests can use typical username and password credentials for authentication via a method called HTTP authentication. In HTTP authentication, a username and password are encoded and added to the HTTP header for all API requests. The server can check these credentials against the credentials of allowed clients to authenticate the requests.

This approach comes with all the challenges normally associated with passwords: passwords can be lost, leaked, stolen, guessed, or shared with untrusted parties. Passwords are also subject to credential stuffing and brute force attacks, among others.

3. OAuth token

Instead of requiring authentication directly from the client, an API server can get an authentication token from a trusted authentication server using the OAuth protocol. To use the API, a user logs in to a third-party service instead of directly logging in to the API. Like the username-and-password approach, this authentication method is vulnerable to credential stuffing and other attacks.

4. Mutual TLS (mTLS)

TLS is the encryption protocol that creates an encrypted, authenticated connection between client and server when loading webpages. TLS can also verify and authenticate both ends of an API connection.

In mutual TLS (mTLS), both client and server have a TLS certificate. They authenticate each other using these certificates, ensuring that both are who they claim to be without needing to rely on passwords or other authentication methods.

However, mTLS can be a challenge to implement: all API endpoints and clients need legitimate TLS certificates, which may be difficult to enforce and maintain.

What is API Shield?

Cloudflare API Gateway enables multiple API security features from one dashboard in order to protect against common API security risks. API Gateway includes:

  • mTLS for API endpoint authentication
  • Schema validation, which uses a positive security model to only allow requests that comply with the API's schema
  • Data loss prevention (DLP), which scans traffic going out from an API to check for sensitive data
  • Rate limiting and DDoS mitigation to ensure APIs are not overloaded

Learn more about API Gateway or API security solutions.