3 Topics to Secure Your API Endpoint & Data Transmission
In this new age of IT interoperability and interconnection, exposing our internal resources to third party or whitelisted entity is a common situation. It embraces efficiency to access & combine multiple source of information from different premises to create a meaningful data mining, analytics or even as part of end-user systems / applications.
For instance, we can share list of countries and cities on one data sources so everyone will have the same list and avoid rewriting it. When there’s item update within the list, every entities referring to it also gets the same updates. No need to manually remove or adding the list’s item.
One of the most method to share resources is by creating an API endpoint. Some uses JSON data format, some other still using ISO 8583 or even XML formatted message.
People love utilize API because it’s easy to build and seamlessly accessible by any type of systems. It grows from resource sharing to a frontend-backend scenario in web and mobile development. It become crucial to get and validate everything from backend endpoint in mobile application development. Login, home announcement, user profile, and other related resources are intensively dependent to the backend API.
While developing, we as an engineer easily forget that our resources will be publicly available. Without realizing it, when we expose our domain to the internet it will become accessible to anyone who know the exact endpoint.
That’s why it is very important to secure our transmission. With security embedded to our endpoint we will be able to make sure that our resource only be accessible to those who we gave access to specifically. Also when there’s something goes wrong with the access security, we could easily revoke the old access and create new credentials.
This article won’t go deep about each of the topic, but more of bullet-points-style so it could be digested more easily. It’s like a roadmap but you are free to refer to any source if you want to explore deeper.
I will try to break it down to multiple post so we can deep dive for each of it.
DATA TRANSMISSION SECURITY
This is the basic foundation to dive in more into data security. This topic is important, but I believe only few recognize it and willing to implement it. Get to know this topic for securing your API endpoint and any transmission. This topic also start to implemented for SNAP BI Standardization, this would be a good time to learn this basic topic if you are going to work on any payment system related especially in Indonesia.
1. ENCRYPTION & HASHING
- What is encryption?
- What is hashing?
- What is the difference between Encryption and Hashing?
- What kind of encryption algorithm is available to use for best practice in REST API?
- What kind of hashing algorithm is available to use best practice in REST API?
- What is the difference between AES & RSA?
- how to encrypt using AES?
- how to decrypt using AES?
- how to encrypt using RSA?
- how to decrypt using RSA?
- When is the best condition should I use Hash?
- When is the best condition should I use Encryption?
- How is the performance AES vs RSA in term of processing high transactions frequency?
When you reach the end, you will have the knowledge when to use Encryption or Hash in certain situation. This is essentials before we move to the next best practice in securing transmissions.
2. JWT (JSON Web Token)
This security mechanism is one of the alternative to secure your transmission. It should be implemented at both sides, the requestor and the host. It is easy to use and open-source in term of usage license.
- What is JWT?
- What is the benefit using JWT?
- When do I need to use it?
- How to use it? (in my current prog. language & framework)
- How does this mechanism can make our transmission secure?
- What are the disadvantages using JWT? (based on your own opinion after implementing it)
- What is the limitation in implementing JWT?
JWT has it’s own consortium, it is easily implemented in multiple programming languages and frameworks, every best practice available to access in their home site.
JWT only secures the transmission but not specifically manage the resource’s access control. To make your API more secure you need to make sure which consumer able to access which specific resource so it can be monitored and managed later.
3. OPEN AUTHORIZATION (oAuth)
This is where you will learn on how to create access control, limiting access via expiration date-time, and refresh access (revoke and reinstate access). Learn these topics to explore more about oAuth :
- What is oAuth?
- Why should I use oAuth?
- When do I need to use oAuth?
- What kind of oAuth available?
- Which kind of oAuth is the best practice to use for my current project?
- What is the difference between oAuth 1.0 and oAuth 2.0?
- How can I create my own oAuth endpoint?
- How can I implement oAuth in my current project?
- What is the limitation or disadvantages in using oAuth?
- How is the mechanism of token expiration work?
- How is the mechanism of user/object level access control?
- How is the mechanism of token refresh work? (revoke and regenerate new token)
When you are done with oAuth, you will be able to understand why securing your API endpoint is crucially important and also why sometimes people are refuse to implement it.
I hope these provoking questions able to motivate you to explore and clear your path to more aware of transmission security. I will try to create a deep dive section for each topic here later if necessary. Hope you like this kind of article.
