REST Security General recommendations
Our most basic security guidelines:
- follow OWASP guidelines
- top 10 vulnerabilities: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
- REST Security Cheat Sheet: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
- validate & encode all inputs AND outputs correctly. You MUST NEVER trust what you receive (whether from the client or
- exclude all security sensitive headers (e.g., disclosing server/libraries versions, etc)
- reject all bad input from the client side (4xx codes)
- this should help protect against injection attacks
- log all suspicious activities (useful for forensics)
- have monitoring in place to detect abnormal usage of your API
- throttle API usage (see rate limiting section) to try and mitigate Denial of Service (DoS) attacks and block malicious users
This project is distributed under the terms of the EUPL FOSS license
REST Resources Design Workflow
REST Resources Single items and collections
REST Resources Many to many Relations
REST Resources Relations expansion
HTTP Status Codes Success (2xx)
HTTP Status Codes Redirection (3xx)
HTTP Status Codes Client Error (4xx)
HTTP Status Codes Server Error (5xx)
Pagination Out of range/bounds
Long-running Operations Example
Concurrency vs Delete operation
Caching and conditional requests About
Caching and conditional requests Rules
Caching and conditional requests HTTP headers
Error handling Example with a single error
Error handling Example with multiple errors
Error handling Example with parameters
Error handling Example with additional metadata
Bulk operations HTTP status codes
Bulk operations Resources naming convention
Bulk operations Creation example
Bulk operations Update example
Bulk operations Create and update example
File upload Simple file upload
File upload Simple file upload example
File upload Complex file upload
File upload Complex file upload example
REST Security General recommendations
REST Security Insecure direct object references