12 Designing a secure API

A versatile API that does the job and is user-friendly and interoperable is nice, but it’s worth nothing if it’s not secure. As APIs have grown in popularity, the number of API attacks has increased exponentially, making APIs the primary hacking attack vector in 2022. In 2023, 95% of organizations faced API security problems, such as distributed denial of service (DDoS) attacks, lack of authentication, API key leaks, shadow or zombie APIs that no one knows about, sensitive data overexposure, and business logic abuse. API security problems can cause reputational damage, financial losses, disruption to business operations, and data privacy threats.

12.1 Overview of API security

12.1.1 What happens during an API call?

12.1.2 Uncovering design-related API security problems

12.2 When and how to handle security during design

12.2.1 When to consider security during API design

12.2.2 How API design contributes to API security

12.3 Exposing only the necessary data and operations

12.3.1 What are sensitive operations and data?

12.3.2 Challenging sensitive and non-sensitive data and operations

12.3.3 Modifying data to make it less sensitive or non-sensitive

12.3.4 Splitting an operation to separate concerns

12.3.5 Separating sensitive operations in dedicated APIs

12.4 Ensuring that implemented operations behave according to context

12.4.1 Describing who sees or does what

12.4.2 Describing what list or search operations return

12.4.3 Describing how inputs narrow access

12.4.4 Describing all expected implementation checks and behaviors

12.4.5 Narrowing access by design

12.5 Ensuring data integrity