dot CMS
api
rest api
security

REST API Security: How dotCMS APIs Are Secured

REST API Security: How dotCMS APIs Are Secured
Author image

Mehdi Karimi, Ph. D.

Director of Cyber Security

Share this article on:

What Is API Security?

We’re living in an increasingly connected world. According to Akamai, API calls make up 80% of overall internet traffic. Given that APIs are important as a business driver, then their security shouldn’t be an afterthought.

One of the central tenets of the API economy involves exposing a company’s digital services and assets through APIs in a controlled manner. Since an API exposes an interface to a web application, they operate on two levels. Firstly, they act as a bridge between you and the interface. Secondly, they access both the application and the database. This gives cybercriminals two potential attack surfaces to gain access to your assets.

Therefore, you need to think of API security in two layers: the API and application layers.

  • On the API layer, you need proper authentication, authorization, and access privileges to ensure that only people with the right credentials can use your interface and can only execute the applications that you allow them to access.

  • You need to ensure that your application endpoints (the URLs you’re using to access the API interface) aren’t vulnerable to cyberattacks that could extend beyond the interface on the application layer.

As we mentioned earlier, businesses use APIs to connect services and transfer data. Broken, exposed, or hacked APIs can expose medical, financial, and personal data. However, API security depends on the kind of data that’s being transferred.

For instance, REST APIs use HTTP and support Transport Layer Security (TLS) encryption, a standard encryption that keeps your internet connection secure, and checks that the data shared between the two systems and APIs are encrypted and unmodified. This means that if someone is trying to access your information or expose your details, they won’t be able to.

Why Do APIs Get Attacked?

Before APIs, legacy IT security practitioners secured the whole system and the perimeter using firewalls. Now with the API economy and cloud infrastructure, there is no traditional security perimeter. APIs are the last line of defense making them a juicy target for cybercriminals.

In fact, a report on API security conducted by Salt Security found that 94% of the companies surveyed suffered an API security breach last year, and over 78% of attacks came from seemingly legitimate users, but were actually attackers who had maliciously achieved the proper authentication.

Hackers have long used forged or stolen credentials to exploit applications on the internet. In this respect, APIs provide another avenue to apply the same attacks. However, APIs also open unique attack vectors leveraging identity. A number of these attacks exploit standard bad practices originating in the web app development community.

As developers move into API development, they often bring bad habits from conventional web development. Other attacks result from widespread confusion about how APIs differ from traditional web app development. Many applications publishing APIs require clients to use an API key to access their functionality.

Now that you know the importance of API security and why APIs are such an important attack vector, let’s see how you can secure your APIs. 

How To Secure APIs

Securing an API is as important as developing a robust API. There are a plethora of ways to secure APIs with user Authorization and Authentication. 

Here are some of the key ways: 

  • HTTP Basic Authentication: It is the most basic authentication mechanism for a REST API where a special HTTP header with username and password encoded in base64 is sent as a request to the server for authentication. Let’s demonstrate the whole process with a simple figure

sec1.png

In simple words, authorization is done by sending a piece of info in the HTTP header i.e. “Authorization: Basic YWRtaW46bmltYQ==” along with other information like username and password. 

  • JSON Web Token: JSON Web Token allows multiple parties and servers to securely transmit the information as a JSON object. In this method, the user signs in using email, password, Gmail, or Facebook, and then the authentication server verifies the credentials. After verification, the server issues a JWT signature using either a secret salt or a private key. Once the JWT token is issued, the user’s client uses this token to access the protected resources by passing the JWT in the HTTP authorization header. The server with the protected resources then verifies the authenticity of the request using secret salt/public key. 

Let’s demonstrate the whole process with a figure:

sec2.png
  • SAML: Security Assertion Markup Language (SAML) is based on XML open security standard. A framework is used for authentication and authorization across two different systems usually a Service Provider and Identity Provider. Here, the service provider is the one who provides the SAML mechanism and the Identifier is the one that authenticates the user and sends the authentication response with the user’s access rights for the service to the service provider.

SAML introduces one common identity provider on behalf of all web applications and that makes it easier for both service provider and user to authenticate web services using a common SAML framework. To put this into perspective, take a look at this diagram: 

sec3.png
  • Oauth: Keep in mind that authorization is Access while authentication is identity. OAuth stands for Open Standard for Authorization. It’s a token-based protocol that utilizes an access token, oftentimes a JWT token. OAuth has different versions in which OAuth2 is simpler and much more robust than others. OAuth provides authorization while OAuth2 has an authentication mechanism as well.

Let’s discuss the OAuth security mechanism:

  • Whenever a user logs into the system and submits a request, the system will request authorization from the user.

  • The authorization server (oAuth server) will provide the token to the user which will be used to authenticate in the future.

  • The system will then use this token with the request to acquire the resources requested by the user (REST API).

The following figure best illustrates the whole concept:

sec4.png
  • API Keys:  As the name suggests, authentication is done here by using the specialized API key. This method of authentication is well known today. You will find this mechanism in almost every development stack. You will be wondering why it’s used everywhere, the simple answer would be: “because it’s easy to implement”.The data transit encryption is done under HTTPS.

Every time a user attempts to enter the system, he will be authenticated and verified using an API key. The unique trait is that the API key is used in plain text and then the whole message is encrypted using a secret key and hence the whole transaction is made secure.

API Security Best Practices

Take these security best practices into account every time you’re designing or using APIs.

  • Always Use HTTPS: HTTPS is a secure protocol that generates a random access token every time you enter a website, and a session is created. That way, your session stays private and safe from cybercriminals every time you access a site. If you notice you’re accessing an HTTP site, be careful as it might introduce unwanted vulnerabilities into your system.

  • Use Password Hash: Protecting your passwords and login data using hashing helps you keep your system safe and minimize the damages a hacker might do. Consider different hashing algorithms such as PBKDF2, bcrypt, and scrypt to keep your APIs and login data secure from evil eyes.

  • Never Expose Information On Your URLs: Sometimes, usernames, passwords, session tokens, and API keys may appear in the API call’s URL. This kind of information presents a vulnerability that can be captured in web server logs, which makes them easily exploitable by hackers.

  • Leverage OAuth: OAuth enables you to connect to other services without using a password. Using OAuth for your APIs helps keep them secure because the consumer isn’t giving their credentials to the server. Instead, it gives the API a token provided by a third party, preventing the consumer from disclosing their information while at the same time protecting the API provider from malicious attacks looking to steal API users’ information.

  • Use A Secure CMS: A secure CMS like dotCMS takes care of all these details for you, giving you the peace of mind you need to focus on your business and direct your IT time to higher-value tasks. A CMS helps you control access to your APIs and gives you the tools to rapidly handle your API requests, define endpoints, and manage authentication for REST and GraphQL APIs.

How dotCMS Secures Your APIs

Before giving permissions to your users in dotCMS, you need to authenticate them before they call in any REST API endpoints, and while some content might still be available for unauthenticated users, it is possible to configure dotCMS to limit the access to APIs depending on the content permissions, creating granular API security and limiting access for unauthenticated users. 

In order for dotCMS Permissions to be respected, users and applications should be authenticated in dotCMS before calling any of the REST API endpoints. Some content may still be accessible through the REST API for unauthenticated users (depending on your content permissions), but you can configure dotCMS to limit access or otherwise require greater security for REST API authentication.

dotCMS also supports the following authentication methods. Note that these methods are checked in the order shown below, so if multiple authentication methods are provided (for example if a user is logged into the dotCMS back-end, but also supplied a Basic authentication header), the user used to authenticate the REST API call will be the one with the lowest Order (the one that is listed first) in the following list:

Order

Authentication Method

Persistence

Security Level

1

URL Parameters

Stateless

Insecure

2

DOTAUTH Header

Stateless

With HTTP: Insecure

With HTTPS: Limited

3

Basic Authentication

Stateless

With HTTP: Insecure

With HTTPS: Limited

4

JWT (Token)

Stateless*

Secure

5

Back‑end Login

Session

Secure

6

Front‑end Login

Session

Secure

Read more: REST API Authentication

Ensures Your API Security With dotCMS

dotCMS gives you control over your APIs, enabling you to take part in every step of the process including API design, security, versioning and retiring. Due to its API-first approach, it also gives you the ability to leverage APIs for your content delivery needs.

API security breaches can be scary but you can protect yourself using a CMS like dotCMS. dotCMS provides modern tooling that allows responsible developers and administrators to deliver the most secure content managed sites and content applications available. dotCMS is primarily concerned with security issues that arise from the dotCMS tooling itself, the admin console, and related web services.

Your platform’s security is of the utmost importance to dotCMS, our user community, and our customers. dotCMS strives to ensure the safety and integrity of all dotCMS installations and has processes in place to ensure all security issues are promptly addressed, and customer exposure is minimized.

Leveraging APIs and making use of dotCMS’ API architecture is worth the effort. Knowing how to protect yourself against malicious actors will make a huge difference in your API security. A headless CMS like dotCMS can help you cover your blind spots so you can focus on growth. 

Read more about our security policies and practices here: Security Best Practices in dotCMS.