Building a security layer around your RESTful APIs

Services can expose sensitive data. However, we often "secure" these services using an API key or security through obscurity. James Wallace explains what you need to secure and how to secure it and shares solutions that can be implemented for both server- and client-side requestsso no matter what your services expose, you'll understand how to build secure distributed architectures.

Modern architectures are distributed and built on a layer of services. They expose data that’s very valuable to its owner and to potential bad actors. The services can expose sensitive transactional data. However, we often “secure” these services using an API key or security through obscurity. Scary as that may sound, there are solutions that can secure these services. When designing a security solution, you must ask four key questions: A success solution will answer yes to all four. Many clients request services through JavaScript code in a browser. JavaScript by definition is exposed to the browser and thus anyone can read, copy, and execute the code. The security discussed here cannot expose its algorithm or secrets in the code. Many organizations use API keys to secure their services. This isn’t security; it’s no more secure than a padlock with a key that can be copied and distributed. There are several other solutions to the problem including time-based one-time passwords (TOTPs) and JSON web tokens (JWTs) with signature service. James Wallace digs into the what and how of securing RESTful API requests. You’ll learn the four things that must be secure and explore several solutions to this security problem.