REST API Design Best Practices and Security Concerns

REST
...the goodandthe badparts
Jakub Kubrynski
jk@devskiller.com / @jkubrynski 1 / 42

"The Code is more what you'd call guidelines than actual rules. Welcome
aboard the Black Pearl, Miss Turner"
-- Cpt. Hector Barbossa to Elizabeth Swann
RT Ben Hale

Formal REST constraints
Client-Server
Stateless
Cache
Interface / Uniform Contract
Layered System

Richardson maturity model
http://martinfowler.com/articles/richardsonMaturityModel.html

POST vs PUT

POST vs PUT
POST creates new resources

POST vs PUT
POST creates new resources
PUT updates existing resources
PUT can create resource if ID is already known

REST without PUTs
for everyone who hates CRUD

REST without PUTs
for everyone who hates CRUD
all changes driven by events
POST to /domainEvents

Maybe PATCH?
partial update concept
no "out of the box" support

Caching
be aware - especially IE caches aggressively
better disable caching

Cache headers
cache-control: public, max-age=0, no-cache
public / private
no-cache
no-store
max-age
s-maxage

ETag
If-None-Match header set to entity uuid
if matches then "304 Not Modified"
uuid can be smart - entity id and version
"User:34652:15"

Compression
reduces response size dramatically
10 times smaller response is nothing special
usually really easy to enable

HATEOAS

HATEOAS
self-descriptive

HATEOAS
self-descriptive
client understands hypermedia
{
"name":"Alice",
"email":"alice_at_inchains.org"
"links":[
{"rel":"self","href":"/customers/1213"},
{"rel":"currentOrder","href":"/orders/14312"},
{"rel":"loyaltyAccount","href":"/accounts/11234"}
]
}
HTTP/1.1201Created
Location:http://api.myshop.com/orders/1234

@DanaDanger HTTP codes classification
20x: cool
30x: ask that dude over there
40x: you fucked up
50x: we fucked up

Exceptions
hide sensitive information

Exceptions
hide sensitive information
but include detailed information
{
"status":400,
"code":40483,
"message":"Incorrectbodysignature",
"moreInfo":"http://www.mycompany.com/errors/40483"
}

API Versioning
don't even think about
api.domain.com/v2/orders
URIs to the same resources should be fixed
between versions

API Versioning
don't even think about
api.domain.com/v2/orders
URIs to the same resources should be fixed
between versions
use Content-Type
1 version: application/vnd.domain+json
2 version: application/vnd.domain.v2+json

Filtering and sorting
GET /reviews?rating=5
GET /reviews?rating=5&sortAsc=author

Dynamic queries are easier in POST body

Dynamic queries are easier in POST body
POST /reviews/searches
GET /reviews/searches/23?page=2

Documentation
runnable with examples
Swagger

Stateless or not?
password hashing cost
session replication
load-balancing

Stateless or not?
password hashing cost
session replication
load-balancing
...
stateless session?

Security
SQL Injection
XSS
CSRF
XXE

CSRF - Cross-site request forgery
<imgsrc="https://api.mybank.com/transfers/from/1233/to/1234/amount/5000">
<formaction="https://api.mybank.com/transfers"method="POST">
<inputtype="hidden"name="from"value="1233"/>
<inputtype="hidden"name="to"value="1234"/>
<inputtype="hidden"name=amount"value="5000"/>
<inputtype="submit"value="CelebrityNudePhotos!"/>
</form>

CSRF - Cross-site request forgery
<imgsrc="https://api.mybank.com/transfers/from/1233/to/1234/amount/5000">
<formaction="https://api.mybank.com/transfers"method="POST">
<inputtype="hidden"name="from"value="1233"/>
<inputtype="hidden"name="to"value="1234"/>
<inputtype="hidden"name=amount"value="5000"/>
<inputtype="submit"value="CelebrityNudePhotos!"/>
</form>
One time request tokens
Correct CORS headers

CORS - Cross Origin Requests Sharing
Preflight request
OPTIONS/corsHTTP/1.1
Origin:http://www.domain.com
Access-Control-Request-Method:PUT
Access-Control-Request-Headers:X-Custom-Header
Host:api.mydomain.org
Accept-Language:en-US
Connection:keep-alive
User-Agent:Mozilla/5.0...
Preflight response
Access-Control-Allow-Origin:http://www.domain.com
Access-Control-Allow-Methods:GET,POST,PUT
Access-Control-Allow-Headers:X-Custom-Header
Content-Type:text/html;charset=utf-8

XML External Entity
<?xmlversion="1.0"encoding="utf-8"?>
<comment>
<text>Yeah!Ilikeit!</text>
</comment>

XML External Entity
<comment>
<text>Yeah!Ilikeit!</text>
</comment>
<!DOCTYPEmyentity[<!ENTITYa"Yeah!Ilikeit!">]>
<comment>
<text>&a;</text>
</comment>

# XML External Entity
<!DOCTYPEmyentity[<!ENTITYaSYSTEM"/etc/passwd">]>
<comment>
<text>&a;</text>
</comment>

# XML External Entity
<!DOCTYPEmyentity[<!ENTITYaSYSTEM"/etc/passwd">]>
<comment>
<text>&a;</text>
</comment>
<comment>
<text>root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
.....
</text>
</comment>

XML External Entity
<!DOCTYPEmyentity[
<!ENTITYa"abcdefghij1234567890">
<!ENTITYb"&a;&a;&a;&a;&a;&a;&a;&a;&a;&a">
<!ENTITYc"&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITYd"&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
...
<!ENTITYh"&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
]>
<comment>
<text>&h;</text>
</comment>

http://knowyourmeme.com/photos/531557 thx to @mihn

DDD training?

Thanks!

REST API Design Best Practices and Security Concerns

Recommandé

Recommandé

Contenu connexe

Similaire à REST API Design Best Practices and Security Concerns

Similaire à REST API Design Best Practices and Security Concerns (20)

Plus de Jakub Kubrynski

Plus de Jakub Kubrynski (10)

Dernier

Dernier (20)

REST API Design Best Practices and Security Concerns