How to ACTUALLY Secure Your API (5 Steps)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey how the hell do you protect your API routes I'm not sure to make sure I don't leak vulnerable information to make sure the endpoints don't get spammed to make sure everything goes right and they are properly secured I always take five steps and here they are step number one is by far the easiest and nowadays you barely have to worry about it except you do everything yourself but that is use https make sure the connection between client and server is encrypted so nobody can do a man in the middle attack and read your data that is passed from the client to the server and Back Again nowadays you don't really have to think about it it's mostly done automatically for you number two is really important it's authentication and authorization those are two different things authentication means ensuring the user is who they claim to be either through or through Google or through GitHub or through a password authentication with email and password you know and in return for those credentials the user gets a token that is either a Json web token or it can be a session token that you also store in a database those are the two different approaches to authentication now the important thing is whenever that user makes a request to your API that HTTP only cookie meaning it can't be changed by JavaScript or red but JavaScript is going to be automatically sent along in the request to your server and then either you validate the signature of the Json web token in your API route or you go ahead and fetch that session cookie in the database and see if that is a valid session and that is the authentication part done now you know the user is who they claim to be for example their email and then authorization is the question of well we now know who the user is but what are they allowed to do if we have something like role-based authentication are they an admin are they a user or if we don't have that well what is any user allowed to do are they allowed to change their name in the database how can they interact with the database that is what authorization is about so usually what you do is logical checks you before you perform a certain action that is linked to an API endpoint like for example the goal of one API endpoint is to change a username in a database before doing that in regards of authorization an example would be has the user changed their username more than three times in the past hour and if they did well then they are not authorized to do that same action in the same hour again okay so now we're sending encrypted data traffic know who the user is and what they're allowed to do but anyone even without being logged in could totally spam your API endpoint and force you to make so many requests back and forth to your database costing you money so step number three is rate limit your API endpoints don't allow anybody to spam the hell out of them rate limit them for example what I usually do is use upstash for this just full disclosure I am sponsored by upstash but I used them before they sponsored me I use them in personal projects that they are not sponsoring at all they're not public I just personally use them and that's why I stand behind their product in the agree to being sponsored by them so I think personally upstage makes this really easy to protect your API endpoints especially in a serverless environment for example next JS that is mainly what up stash is used for if you're using server full technology like node.js for example and express there are packages just for that that rate limit your API endpoints even easier than in serverless environments okay now nobody can spam our API anymore we know who is trying to make a request and we know what that person is allowed to do but we cannot ensure that person is trying to make a malicious request because just knowing who the user is doesn't mean that they're friendly or not trying to inject something really harmful into or API rods and that's why we do the next step and that step is input validation it is so so so important you need to validate client input anyone can make any request to any of your API rods with any data that they want so you need to make sure that the data you get on your server and then process process in the request is actually what you expect and not malicious input and I personally do a lot of work in the node.js express nexjs environment so just in the JavaScript typescript environment and therefore I like to use schema validation libraries for this in typescript you can use something called yup or you could use something called zot essentially they allow you to do the same thing you define a certain schema a type of data that you're expecting on your back end that you can then parse against so you can parse any data no matter what it is against that schema and if that data that you're parsing does not match the schema your server will throw an error because you cannot handle the request with data that you're not expecting and only if the data that is passed into your API endpoint is of the certain schema type and by the way in this schema you can literally Define everything you can Define you want a string that is a maximum of 100 characters that matches a certain regex you can refine that even if you want to you can make really sure the data that you're receiving on the server is precisely what you're getting and if that parses correctly then you know okay the data is fine we can actually work with it all right we've ensured there is encrypted traffic we know who is making a request what they're allowed to do and nobody can spam our API endpoints and we even know that the data that we're getting is exactly what we want but what we haven't done yet is super crucial and step number five really important error handling we can never ensure that everything works smoothly in our API chances are you're also relying on some third-party API it's just an API to API there's a lot of communication there's a lot of stuff that could go wrong servers not responding you never know and therefore you want a very solid error handling the way you do that at least in the environment that I'm familiar with is in a try catch block I think it's the same in Java where you can try a certain function and then catch any errors that should occur and then the secret to good error handling is sending back the proper HTTP status codes of what's happening because then you can check those on the client display an according error message to the user like a 400 bed request or a four or nine there's a conflict in the naming for example so you want to make sure you're checking the error in the catch block if it matches a certain type for example if you're using axios then you might check if it's an axial's error and if it is then you know the structure of the error similarly if you're using a certain schema validation library to validate the input remember when the parsing fails there's an error being thrown and in the catch block you can check if the error is of that type if it was created by Zod or by yup and if it turns out the error is in the shape of a Zod or yup arrow and caused by them that allows you to really easily handle how you send back your HTTP status codes to the client and then finally if you have no idea what the error is if it's neither an axial error or a result error or whatever tools you're using in your app then in the worst case you can always send back a generic 5 100 error message you know you don't know what's wrong so just send back an internal server error and those are my steps to properly securing your API endpoints if I missed anything be sure to let me know and also this video was inspired by a Twitter post by this user right here and I'm gonna link them in the description that's where the inspiration for this video came from on how to secure your rest API routes but with my own twist to it for example the authorization was not mentioned in that thread at all which I feel like is really important to properly secure your API endpoints as well thanks very much for watching I really hope you learned something new on how to properly protect your API endpoints and then I'm gonna see in the next video have a good one and bye bye
Info
Channel: Josh tried coding
Views: 26,398
Rating: undefined out of 5
Keywords: api routes, api endpoint, security, api security, josh tried coding, joshtriedcoding, api endpoint security, rate limiting, authentication, authorization, upstash rate limiting, zod, yup, nextjs, react, error handling
Id: dZ2CkvxuWIo
Channel Id: undefined
Length: 7min 42sec (462 seconds)
Published: Thu Jun 29 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.