Enterprise Developers depend heavily on APIs for building new products and services. Modern websites consume third-party APIs as well. API security is the protection of APIS, the ones you develop and the ones you consume.

ProgrammableWeb has a directory listing about 15,000 APIs used for mobile and web applications, consumed by developers who did not build it. This is a lot of available APIs and means that there is potential for security breach and developers need to understand that they need to keep client data safe.

Speed and functionality are not all that matters while building and deploying an API. Security practices are employed to secure them from attacks.

Here are common attacks and how to prevent them.

Compromised Database: this is when the attacker gains access to the Database

• Encrypt Passwords using salt and hash(Bcrypt)

• Strongly encrypt password reset tokens (SHA 256)

Brute force attack: this is when the attacker tries millions of passwords.

• Make the login process/request slow by using the Bcrypt package

npm install Bcrypt Bcrypt package (ExpressJs)

• Implementing rate-limiting that limits the number of requests coming from one single IP address

npm install express-rate-limit rate limit (ExpressJs)

• Implement a maximum number of login attempts for each user. Here we decide that after ten failed login attempts, a user cannot log in till after a few hours.

  Cross-Site Scripting (XSS) attack: this gives the attacker access to the LocalHost

• Save Jason Web Tokens (JWT) in HTTP only cookies.

• we should sanitize input data by setting special HTTP headers (install helmet package)

npm install helmet Helmet package (ExpressJs)

Denial of service attack(DOS): this happens when the attacker sends so many requests to the server that it breaks down and becomes unavailable

• Avoid using evil regex.

• Limit body payload (in body-parser )in Post or Patch request.

NoSQL query injection.

• Using mongoose is a strategy to prevent this attack because Schemas forces each value to have well-defined data types.

Some other suggestions for best practices include:

• Do not send Specific Errors to clients

• Confirm User email address after creating the first account.

• Implement two-factor authentication.

• Always use HTTPS.

• Do not commit sensitive data to Git.

• Require re-authentication before certain operations.

The advent of modern technology is increasing the number of consumer data and the number of connected devices out there. Cyber-attacks are on the rise, hackers are increasing their knowledge and so strong security measures must be adopted while building and deploying servers.