API Academy
🌐 English
  • 🌐 English
  • 🌐 繁體中文
HomePetstore APIExplore more APIs
HomePetstore APIExplore more APIs
🌐 English
  • 🌐 English
  • 🌐 繁體中文
🌐 English
  • 🌐 English
  • 🌐 繁體中文
  1. API Security
  • Introduction
  • Table of Contents
  • API Academy
    • Get Started
      • What is an API?
      • How Does an API Work?
      • How to Call an API?
      • How to Read an API Documentation?
      • Chapter Summary
      • Get realtime weather
    • API Fundamentals
      • API Funtamentals: Overview
      • Method & Path
      • Parameters
      • Request Body
      • Responses
      • API Specification & OAS
      • Chapter Summary
    • Working with APIs
      • Working with APIs: Overview
      • Making Requests from Spec
      • Environments and Variables
      • Chaining Multiple Endpoints
      • Handling Authentication
      • Handling API Signatures
      • Introduction to Scripts
      • Chapter Summary
    • Mocking APIs
      • Mocking APIs: Overview
      • Smart Mock
      • Mock Expectations
      • Cloud Mock
      • Mock Scripts
      • Chapter Summary
    • Designing APIs
      • Designing APIs: Overview
      • Introduction to API Design
      • Creating Your First API Project
      • Analyzing Requirements and Planning Your API
      • Designing Data Models
      • Designing Endpoints
      • Using Components and Reusability
      • Setting Up Authentication
      • API Design Guidelines
      • Chapter Summary
    • Developing APIs
      • Developing APIs: Overview
      • Setup: Install Your AI Coding Assistant
      • Quick Start: From Spec to Running API in 30 Minutes
      • Understanding the Generated Code
      • Testing Your API with Apidog
      • Deployment: Put Your API Online
      • Chapter Summary
    • Testing APIs
      • Testing APIs: Overview
      • Getting Started: Your First Test Scenario
      • Integration Testing and Data Passing
      • Dynamic Values
      • Assertions and Validations
      • Flow Control: If, For, ForEach
      • Data-Driven Testing
      • Performance Testing
      • Test Reports and Analysis
      • CI/CD Integration
      • Scheduled Tasks and Automation
      • Advanced Testing Strategies
      • Chapter Summary
    • API Documentations
      • API Documentations: Overview
      • Publishing Your First API Doc
      • Customizing Documentation Appearance
      • Interactive Features for Consumers
      • Advanced Publishing Settings
      • Managing API Versions
      • Chapter Summary
    • Advanced API Technologies
      • API Technologies: Overview
      • GraphQL
      • gRPC
      • WebSocket
      • Socket.IO
      • Server-Sent Events (SSE)
      • SOAP
      • Chapter Summary
    • API Lifecycle
      • API Lifecycle: Overview
      • Stages of the API Lifecycle
      • API Governance
      • API Security Best Practices
      • Monitoring and Analytics
      • API Versioning Strategies
      • The Future of APIs
      • Chapter Summary
    • API Security
      • API Security: Overview
      • API Security Fundamentals
      • Authentication vs Authorization
      • Understanding OAuth 2.0 and OpenID Connect
      • JSON Web Tokens (JWT)
      • OWASP API Security Top 10
      • Encryption and HTTPS
      • Chapter Summary
    • API Tools
      • API Tools: Overview
      • The Evolution of API Tools
      • API Clients
      • Command Line Tools (cURL, HTTPie)
      • API Design and Documentation Tools
      • API Mocking Tools
      • API Testing Tools
      • All-in-One API Platforms
      • Chapter Summary
    • API Gateway
      • API Gateway: Overview
      • What is an API Gateway?
      • Key Features of API Gateways
      • API Gateway vs Load Balancer vs Service Mesh
      • Popular API Gateway Solutions
      • The BFF (Backend for Frontend) Pattern
      • Chapter Summary
  • Modern Pet Store
    • Pet
      • Get Pet
      • Update Pet
      • Delete Pet
      • Create Pet
      • List Pets
      • Upload Pet Image
    • User
      • Update User
      • Get User
      • Delete User
      • Login
      • Logout
      • Create User
    • Store
      • List Inventory
      • Create Order
      • Get Order
      • Delete Order
      • Callback Example
      • Pay for an Order
    • Payments
      • Pay Order
    • Chat
      • Create Chat Completion
    • Webhooks
      • Pet Adopted Event
      • New Pet Available Event
  • Schemas
    • Pet
    • Category
    • User
    • ApiResponse
    • OrderPayment
    • Tag
    • Order
    • Links-Order
    • PetCollection
    • Bank Card
    • Bank Account
    • Links
    • Error
HomePetstore APIExplore more APIs
HomePetstore APIExplore more APIs
🌐 English
  • 🌐 English
  • 🌐 繁體中文
🌐 English
  • 🌐 English
  • 🌐 繁體中文
  1. API Security

API Security Fundamentals

Before diving into specific protocols like OAuth or JWT, it is essential to understand the foundational principles that govern secure systems. API security does not exist in a vacuum; it relies on the classic pillars of information security, often referred to as the CIA Triad.

The CIA Triad#

1.
Confidentiality: Ensuring that data is accessed only by authorized parties.
Example: A banking API ensures that User A cannot see User B's account balance.
2.
Integrity: Ensuring that data is reliable and accurate, and has not been altered by unauthorized people.
Example: Ensuring that a transfer request of 100isnβ€²tchangedto1000 in transit.
3.
Availability: Ensuring that data and services are available to those who need them when they need them.
Example: Implementing rate limiting to prevent a botnet from crashing your API.

Key Security Principles#

1. Principle of Least Privilege#

Every module, user, or interface should only have access to the information and resources that are necessary for its legitimate purpose.
API Context: If a mobile app only needs to read a user's profile, the API token issued to it should not have write permissions.

2. Defense in Depth#

Security should be layered. Do not rely on a single control (like a firewall) to protect your API.
Layers:
Network: WAF (Web Application Firewall), DDoS protection.
Gateway: Rate limiting, IP whitelisting.
Application: Input validation, proper authentication logic.
Data: Encryption at rest.

3. Zero Trust Architecture#

"Never trust, always verify." exist on the premise that threats may be both outside and inside the network.
API Context: Just because a request comes from an internal microservice doesn't mean it should be inherently trusted. It must still include a valid authentication token.

4. Security by Design#

Security should be integrated into the API design phase, not added right before deployment.
Using secure defaults (e.g., denying access unless explicitly granted).
Validating all inputs against a strict schema (e.g., OpenAPI definitions).

Key Takeaways#

CIA Triad: Confidentiality, Integrity, and Availability are the goals.
Least Privilege: Give the minimum necessary access.
Zero Trust: Authenticate every request, even internal ones.
Validation: Never trust client input; validate it against your schema.
Next Step: The most common confusion in security is between "Who you are" and "What you can do". Let's clear that up in Authentication vs Authorization.
Modified atΒ 2025-12-29 04:30:23
Previous
API Security: Overview
Next
Authentication vs Authorization
Built with