There's some OK stuff here, but the list on the whole isn't very coherent. If this is a guide specifically for "APIs" that are driven almost entirely from browser Javascript SPA's, it makes sense. Otherwise, a lot of these recommendations are a little weak; for instance, most of the HTTP option headers this list recommends won't be honored by typical HTTP clients.
Further, the list succumbs to the cardinal sin of software security advice: "validate input so you don't have X, Y, and Z vulnerabilities". Simply describing X, Y, and Z vulnerabilities provides the same level of advice for developers (that is to say: not much). What developers really need is advice about how to structure their programs to foreclose on the possibility of having those bugs. For instance: rather than sprinkling authentication checks on every endpoint, have the handlers of all endpoints inherit from a base class that performs the check automatically. Stuff like that.
Finally: don't use JWT. JWT terrifies me, and it terrifies all the crypto engineers I know. As a security standard, it is a series of own-goals foreseeable even 10 years ago based on the history of crypto standard vulnerabilities. Almost every application I've seen that uses JWT would be better off with simple bearer tokens.
JWT might be the one case in all of practical computing where you might be better off rolling your own crypto token standard than adopting the existing standard.
Most web frameworks I'm familiarized with have a concept of middleware, where you can perform any authentication checks before yielding.
Having read a bit into the topic, I'd +1 avoiding JWT. Getting authentication "right" is difficult. I think most applications should default to using stateful authentication. By the time you actually need stateless authentication "to scale", you'll hopefully have enough experts on-board to help you understand the tradeoffs.
Yeah, in my experience a lack of centralized authorization checks is one of the most sinister issues in typical API construction. And I've seen pretty wonky reasons (relatively speaking) for not wanting it ("it would take a lot of refactoring", or "that presents a single point of failure").
If you don't set up centralized auth checks and instead prescribe !!!CONSTANT VIGILANCE!!!, you're just setting yourself up for an auth bug in a hastily submitted pull request at 4 pm on a Friday afternoon, when someone is lethargic and ready to head out for the weekend. The code is going to get committed, then pushed to production after three people write a quick "LGTM!" Three months later a bug bounty is going to come in with a snazzy report for you (hopefully).
The better thing to do is 1) abstract all authorization checks to a central source of authority and 2) require the presence of this inheritance for tests to pass before deployment.
have the handlers of all endpoints inherit from a base class that performs the check automatically
I disagree. Much better to have a single endpoint which does nothing except validate opaque requests and passes them upstream. No good ever comes from having crypto code mixed up with non-crypto code.
Do you have any further info on why you so strongly recommend against JWT? My MO has been to know and understand the standard, what it provides (e.g. signed assertions a la SAML, albeit easier on the eyes) and what it does not (e.g. encrypted body without adding your own JWE), and to use it accordingly.
This is probably the first I've heard from someone I know is more than just some random HN commenter that JWT is not recommended.
>> Finally: don't use JWT. JWT terrifies me, and it terrifies all the crypto engineers I know. As a security standard, it is a series of own-goals foreseeable even 10 years ago based on the history of crypto standard vulnerabilities. Almost every application I've seen that uses JWT would be better off with simple bearer tokens.
This is really surprising to me. I use Play! framework and the whole play framework community suggests to use JWT for authentications as Play! doesn't support sessions out of the box. Is it just JWT itself is bad or how developers use it is bad? Just a noob question.
>JWT might be the one case in all of practical computing where you might be better off rolling your own crypto token standard than adopting the existing standard.
This isn't the first time I heard this claim, but I've also read that vulnerabilities were related to libraries and implementations, not the standard itself. Is it true?
To me, I don't see the benefit of passing meaningful information via JWT, and it might even pose a risk.
>simple bearer tokens
I guess you mean cryptographically secure random byte strings?
no JWT but "simple bearer token" is not a good advice as I have no idea how to implement that. I'd rather use JWT with restricted crypto (make sure "noop" is not allowed).
No amount of checklisting and best practices substitutes for hiring someone smart to break your stuff and tell you how they did it. You can check all the boxes and still get pwned.
You can learn and run automated tools for 6 months and end up knowing 1/3rd of what a great pentester knows.
If you want to know you can resist an attack from an adversary, you need an adversary. If you want to know that you followed best practices so as to achieve CYA when something bad happens, that's a different story.
But honestly the security picture is so depressing. Most people are saved only because they don't have an active or competent adversary. The defender must get 1,000 things right, the attacker only needs you to mess up one thing.
And then, even when the defender gets everything right, a user inside the organization clicks a bad PDF and now your API is taking fully authenticated requests from an attacker. Good luck with that.
> No amount of checklisting and best practices substitutes for hiring someone smart to break your stuff and tell you how they did it.
Which is not to say that it doesn't help.
As a pen tester, I'd much rather they tick all the boxes and save money because now I don't have to report all the low hanging fruit (which is fun the first two times you pwn an application but gets boring quickly -- I'd rather have something interesting to test).
If the main input to the security of your application comes from having a penetration test, you're going to have a bad time.
There's no mystery to what an app. security tester does really, and getting the basics of app. sec right early in the development lifecycle is probably the most important piece of having a good solid app.
Sure get a tester in at the end to poke it and find edge cases and weird security bugs, but for a new app. getting someone in the early phases of development to provide security architecture advice is probably more important.
What are peoples thoughts on using TLS client certificates for authentication?
Given we're talking about APIs, we avoid many of the UX problems, but it feels like taking on a different set of problems than just using a bearer token. It does provide baked in solutions for things like revocation and expiry though.
I'm not that familiar with TLS client certificates so I'm not qualified to say, but if you consider other developers as your users, then the UX problem remains.
Web developers in general are more familiar with other forms of authentication so unless you have a strong reason for picking TLS client certificates I would suggest picking something else.
In other words: I would be more likely to try out an API if it was based on Basic Authentication. ;-)
Client certificates don't work in http2. If you use due diligence and store them in secure hardware then they could be a lot more secure than bearer tokens (cannot be exported) but I guess most people would just store a PKCS#12 file on disk and that'd make them as secure as a bearer token.
On the other hand some companies use them even for browser clients for passwordless authentication.
It's a pain in the arse for everyone involved. Adding another management layer to the stack isn't my idea of maintainability, and I'm inclined to agree with you on your point that it introduces a new set of problems.
TLS client certs are nice if everyone knows what they're doing, but in a lot of orgs that just isn't the case.
> Always try to exchange for code not tokens (don't allow response_type=token).
There is absolutely nothing wrong with the implicit flow if the application (including in-browser ones) is requesting the token for itself (and not for some server or any third party). In case of a standalone app that would be just an extra meaningless step.
There is a slight difference in presence/absence of refresh token, though, but that would make implicit flow more secure (because, if standard-compliant, there won't be any refresh tokens at all), not less.
In case of a browser, the token would end up in the browser's history, but given that a) if browser itself is compromised game is already over, and b) that it's not possible for other parties to access the history (besides some guesswork that doesn't work for tokens), paired with a fact that c) such tokens should be short-lived, it's not a big deal.
> User own resource id should be avoided. Use /me/orders instead of /user/654321/orders
This has absolutely nothing to do with security. TBH, I don't see any issue if /me/ would be a redirect or an alias for /user/654321/. That may make perfect sense if a conceptual purity is desirable ("for each object there is one and only one URL - the canonical one"), with its pros and cons.
> Don't use auto increment id's use UUID instead.
Similarly, that barely has anything to do with security. One just has to understand that sequential IDs are trivially enumerable (and an obvious consequence of this fact - that API consumers would be able to enumerate all the resources or, at the very least, estimate their cardinality).
And as for the security - it should've probably said UUIDv4, because if one accidentally uses e.g. UUIDv1 their IDs would lose the unguessability.
By making the owner's userid implicit, you're foreclosing on the possibility of authorization bugs where an endpoint fails to verify that the current user is authorized to see orders from user 654321.
Basically, avoid literal (insecure direct object) references to resources where possible so you have fewer areas where a server can goof authorization checks. Preempt the possibility of a server expecting any direct reference and structure your API to only load resources from a backend, not the user's input.
This goes hand in hand with abstracting all authorization checks to a single gateway/middleware layer that each call inherits, rather than a spot check per call or a group of checks for different groups of calls.
(This is in addition to what 'lvh and 'tptacek have said already.)
Let's say you are the user 654321. You see that you can access your private page at /user/654321. You then try to access /user/112233: if the developer forgot the authorization controls, or inserted bugs, you can access other users' informations
So I'm developing a simple SAAS with little to no private info and where failure isn't critical.
For initial release I build a page that uses html buttons and basic javascript to GET pages, passes a key as a parameter, and uses web.py on the backend.
It seems like it would be a lot of work to implement the suggestions here. At what point does it make sense?
For example you can sign session IDs or API tokens when you issue them. That way you can check them and refuse requests that present invalid tokens without doing any I/O.
The guy forgets the main thing here: length, type and range checks!
I'm finding issues like API servers hanging/crashing due to overly long or malformed headers all the time when I work on front-end projects.
Programming in a language with automatic range and type checks does not mean that you can forego vigilance even with the most mundane overflow scenarios: lots of stuff is being handled outside of the "safe" realm or by outside libraries.
And API's aren't necessarily REST. But this "checklist" is very clearly geared towards a "standard" set of REST APIs. So what's your point, that there are edge-cases in RESTful design?
[+] [-] tptacek|8 years ago|reply
Further, the list succumbs to the cardinal sin of software security advice: "validate input so you don't have X, Y, and Z vulnerabilities". Simply describing X, Y, and Z vulnerabilities provides the same level of advice for developers (that is to say: not much). What developers really need is advice about how to structure their programs to foreclose on the possibility of having those bugs. For instance: rather than sprinkling authentication checks on every endpoint, have the handlers of all endpoints inherit from a base class that performs the check automatically. Stuff like that.
Finally: don't use JWT. JWT terrifies me, and it terrifies all the crypto engineers I know. As a security standard, it is a series of own-goals foreseeable even 10 years ago based on the history of crypto standard vulnerabilities. Almost every application I've seen that uses JWT would be better off with simple bearer tokens.
JWT might be the one case in all of practical computing where you might be better off rolling your own crypto token standard than adopting the existing standard.
[+] [-] TheAceOfHearts|8 years ago|reply
Having read a bit into the topic, I'd +1 avoiding JWT. Getting authentication "right" is difficult. I think most applications should default to using stateful authentication. By the time you actually need stateless authentication "to scale", you'll hopefully have enough experts on-board to help you understand the tradeoffs.
[+] [-] dsacco|8 years ago|reply
If you don't set up centralized auth checks and instead prescribe !!!CONSTANT VIGILANCE!!!, you're just setting yourself up for an auth bug in a hastily submitted pull request at 4 pm on a Friday afternoon, when someone is lethargic and ready to head out for the weekend. The code is going to get committed, then pushed to production after three people write a quick "LGTM!" Three months later a bug bounty is going to come in with a snazzy report for you (hopefully).
The better thing to do is 1) abstract all authorization checks to a central source of authority and 2) require the presence of this inheritance for tests to pass before deployment.
[+] [-] cperciva|8 years ago|reply
I disagree. Much better to have a single endpoint which does nothing except validate opaque requests and passes them upstream. No good ever comes from having crypto code mixed up with non-crypto code.
[+] [-] andrewstuart2|8 years ago|reply
This is probably the first I've heard from someone I know is more than just some random HN commenter that JWT is not recommended.
[+] [-] antoaravinth|8 years ago|reply
This is really surprising to me. I use Play! framework and the whole play framework community suggests to use JWT for authentications as Play! doesn't support sessions out of the box. Is it just JWT itself is bad or how developers use it is bad? Just a noob question.
[+] [-] daliwali|8 years ago|reply
This isn't the first time I heard this claim, but I've also read that vulnerabilities were related to libraries and implementations, not the standard itself. Is it true?
To me, I don't see the benefit of passing meaningful information via JWT, and it might even pose a risk.
>simple bearer tokens
I guess you mean cryptographically secure random byte strings?
[+] [-] kalmar|8 years ago|reply
[+] [-] zimbatm|8 years ago|reply
[+] [-] Kiro|8 years ago|reply
Why not? If it's an API meant to be consumed by a server I don't see what the problem is.
[+] [-] ams6110|8 years ago|reply
[+] [-] tiffanyh|8 years ago|reply
It's a SO article on security for web transactions.
[1] https://stackoverflow.com/questions/549/the-definitive-guide...
[+] [-] moxious|8 years ago|reply
You can learn and run automated tools for 6 months and end up knowing 1/3rd of what a great pentester knows.
If you want to know you can resist an attack from an adversary, you need an adversary. If you want to know that you followed best practices so as to achieve CYA when something bad happens, that's a different story.
But honestly the security picture is so depressing. Most people are saved only because they don't have an active or competent adversary. The defender must get 1,000 things right, the attacker only needs you to mess up one thing.
And then, even when the defender gets everything right, a user inside the organization clicks a bad PDF and now your API is taking fully authenticated requests from an attacker. Good luck with that.
Security, what a situation.
[+] [-] lucb1e|8 years ago|reply
Which is not to say that it doesn't help.
As a pen tester, I'd much rather they tick all the boxes and save money because now I don't have to report all the low hanging fruit (which is fun the first two times you pwn an application but gets boring quickly -- I'd rather have something interesting to test).
[+] [-] raesene9|8 years ago|reply
There's no mystery to what an app. security tester does really, and getting the basics of app. sec right early in the development lifecycle is probably the most important piece of having a good solid app.
Sure get a tester in at the end to poke it and find edge cases and weird security bugs, but for a new app. getting someone in the early phases of development to provide security architecture advice is probably more important.
[+] [-] bodhi|8 years ago|reply
Given we're talking about APIs, we avoid many of the UX problems, but it feels like taking on a different set of problems than just using a bearer token. It does provide baked in solutions for things like revocation and expiry though.
[+] [-] tofflos|8 years ago|reply
Web developers in general are more familiar with other forms of authentication so unless you have a strong reason for picking TLS client certificates I would suggest picking something else.
In other words: I would be more likely to try out an API if it was based on Basic Authentication. ;-)
[+] [-] fanf2|8 years ago|reply
[+] [-] hdhzy|8 years ago|reply
On the other hand some companies use them even for browser clients for passwordless authentication.
[+] [-] Mandatum|8 years ago|reply
TLS client certs are nice if everyone knows what they're doing, but in a lot of orgs that just isn't the case.
[+] [-] drdaeman|8 years ago|reply
There is absolutely nothing wrong with the implicit flow if the application (including in-browser ones) is requesting the token for itself (and not for some server or any third party). In case of a standalone app that would be just an extra meaningless step.
There is a slight difference in presence/absence of refresh token, though, but that would make implicit flow more secure (because, if standard-compliant, there won't be any refresh tokens at all), not less.
In case of a browser, the token would end up in the browser's history, but given that a) if browser itself is compromised game is already over, and b) that it's not possible for other parties to access the history (besides some guesswork that doesn't work for tokens), paired with a fact that c) such tokens should be short-lived, it's not a big deal.
> User own resource id should be avoided. Use /me/orders instead of /user/654321/orders
This has absolutely nothing to do with security. TBH, I don't see any issue if /me/ would be a redirect or an alias for /user/654321/. That may make perfect sense if a conceptual purity is desirable ("for each object there is one and only one URL - the canonical one"), with its pros and cons.
> Don't use auto increment id's use UUID instead.
Similarly, that barely has anything to do with security. One just has to understand that sequential IDs are trivially enumerable (and an obvious consequence of this fact - that API consumers would be able to enumerate all the resources or, at the very least, estimate their cardinality).
And as for the security - it should've probably said UUIDv4, because if one accidentally uses e.g. UUIDv1 their IDs would lose the unguessability.
[+] [-] philip1209|8 years ago|reply
Can somebody explain this?
[+] [-] tptacek|8 years ago|reply
[+] [-] dsacco|8 years ago|reply
This goes hand in hand with abstracting all authorization checks to a single gateway/middleware layer that each call inherits, rather than a spot check per call or a group of checks for different groups of calls.
(This is in addition to what 'lvh and 'tptacek have said already.)
[+] [-] ben_jones|8 years ago|reply
[+] [-] riquito|8 years ago|reply
[+] [-] s_m_t|8 years ago|reply
[+] [-] ikeboy|8 years ago|reply
For initial release I build a page that uses html buttons and basic javascript to GET pages, passes a key as a parameter, and uses web.py on the backend.
It seems like it would be a lot of work to implement the suggestions here. At what point does it make sense?
[+] [-] EGreg|8 years ago|reply
For example you can sign session IDs or API tokens when you issue them. That way you can check them and refuse requests that present invalid tokens without doing any I/O.
[+] [-] PetahNZ|8 years ago|reply
[+] [-] baybal2|8 years ago|reply
I'm finding issues like API servers hanging/crashing due to overly long or malformed headers all the time when I work on front-end projects.
Programming in a language with automatic range and type checks does not mean that you can forego vigilance even with the most mundane overflow scenarios: lots of stuff is being handled outside of the "safe" realm or by outside libraries.
[+] [-] ViktorasM|8 years ago|reply
[+] [-] Mandatum|8 years ago|reply
[+] [-] kpcyrd|8 years ago|reply
https://github.com/shieldfy/API-Security-Checklist/pull/5