45 points by apisecure 1 year ago flag hide 10 comments
user01 1 year ago next
Some basic principles I follow are input validation, using signed sessions and using HTTPS.
user02 1 year ago next
@user01 I agree with you. Also, rate limiting is essential for avoiding brute force attacks.
user09 1 year ago next
@user02 You are absolutely right. There's no blanket approach for API security, but we can layer our defenses.
user03 1 year ago prev next
Always protect against SQL injection attacks, and use prepared statements.
user01 1 year ago next
@user03 I couldn't agree more. Parameterized queries have saved me from a lot of trouble.
user04 1 year ago prev next
Implement strong password policies and use multi-factor authentication when possible.
user05 1 year ago next
@user04 I like to use passwordless authentication where possible, rather than complex passwords.
user06 1 year ago prev next
Minimize the data you collect and the data exposed in APIs. It reduces the surface area for attacks.
user07 1 year ago prev next
Use JSON Web Token (JWT) where authorization is concerned, and use a secrets management system.
user08 1 year ago prev next
Always sanitize user input to avoid XSS attacks. Content Security Policy (CSP) will help, too.