Your API is still running naked? This article explains the problem of API attack and defense security design

preface

It seems like there’s a big wave of front and back separation. It used to be only APP clients were thinking about this, now even the Web is thinking about front and back separation. This has to talk about the API design and security, these problems are not solved, will bring a great threat to server security and performance. Below I am also according to some of their own experience and experience to say some of their own experience.

In the design of API, there are two main aspects to consider:

• Prevent the API from being called maliciously
• Data encryption in API communication

The security of the interface is mainly designed around token, TIMESTAMP and sign to ensure that the data of the interface will not be tampered with or repeatedly called. The details are as follows:

Token Authorization mechanism:

After the user logs in using the username and password, the server returns a Token (usually a UUID) to the client and stores the token-userID in the form of key-value pairs in the cache server. After receiving the request, the server authenticates the Token. If the Token does not exist, the request is invalid. The Token is the certificate for the client to access the server.

Timestamp timeout mechanism:

Each request carries the timestamp of the current time. The server compares the received timestamp with the current time. If the time difference is greater than a certain time (for example, 5 minutes), the request is considered invalid. Timestamp timeout mechanism is an effective means to defend against DOS attack.

Signature mechanism:

The encrypted data is the signature of the request. After receiving the request, the server uses the same algorithm to obtain the signature and compares it with the current signature. If the request is different, it indicates that the parameters have been changed. Return the error identifier directly. The signature mechanism ensures that data cannot be tampered with.

So your API is still running naked?

What are the security issues with apis? —- HTTP interface – Separated MVVMS at the front and back ends

1. Data is stolen from packets
2. Data is switched and tampered with
3. Data is crawled and leaked

Data encryption

1. Symmetric encryption: DES or AES
2. Asymmetric encryption: RSA

Is it safe enough? What else is there to do?

Encryption solves the data uplink security, but hackers, directly seize the ciphertext to submit, how to do?

Interface signature

Interface signatureIs that enough? What else do we need to do?

Interface signatures rely only on the combination of parameter sequences, which is not secure enough

Authentication —– Token token

Token authorization mechanism: After a user logs in using the user name and password, the server returns a Token to the client and caches the Token in the server. The server verifies the Token after receiving the request. If the Token does not exist, the request is invalid

Authentication encapsulation —– Cookies implicitly carry tokens

1. TokenFilter is used for unified processing
2. If the login succeeds, the server directly seeds the token into the cookie
3. When the client requests the token, it sends the encrypted string to the server

conclusion

Security is an eternal topic, with the promotion of the major website HTTPS, security is more and more attention. Signature design you have to have it, HTTPS I hope you have it.

Welcome everyone to exchange, like the article remember to click a “like” yo, thanks for your support!