Public/system-design-101
1
0
Fork 0
mirror of https://github.com/ByteByteGoHq/system-design-101.git synced 2026-04-01 16:57:23 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
ee4b7305a2ccd6aa13688559d345e8a6647774de
system-design-101/data/guides/a-cheatsheet-to-build-secure-apis.md
Kamran Ahmed ee4b7305a2 Adds ByteByteGo guides and links (#106) 
This PR adds all the guides from [Visual
Guides](https://bytebytego.com/guides/) section on bytebytego to the
repository with proper links.

- [x] Markdown files for guides and categories are placed inside
`data/guides` and `data/categories`
- [x] Guide links in readme are auto-generated using
`scripts/readme.ts`. Everytime you run the script `npm run
update-readme`, it reads the categories and guides from the above
mentioned folders, generate production links for guides and categories
and populate the table of content in the readme. This ensures that any
future guides and categories will automatically get added to the readme.
- [x] Sorting inside the readme matches the actual category and guides
sorting on production
2025-03-31 22:16:44 -07:00

1.6 KiB
Raw Blame History

title, description, image, createdAt, draft, categories, tags
title description image createdAt draft categories tags
A Cheatsheet to Build Secure APIs Concise strategies for building secure APIs to protect your application. https://assets.bytebytego.com/diagrams/0064-a-cheatsheet-to-build-secure-apis.png 2024-02-23 false
api-web-development
API Security
Security

An insecure API can compromise your entire application. Follow these strategies to mitigate the risk:

Using HTTPS

  • Encrypts data in transit and protects against man-in-the-middle attacks.
  • This ensures that data hasnt been tampered with during transmission.

Rate Limiting and Throttling

  • Rate limiting prevents DoS attacks by limiting requests from a single IP or user.
  • The goal is to ensure fairness and prevent abuse.

Validation of Inputs

  • Defends against injection attacks and unexpected data format.
  • Validate headers, inputs, and payload.

Authentication and Authorization

  • Dont use basic auth for authentication.
  • Instead, use a standard authentication approach like JWTs
    • Use a random key that is hard to guess as the JWT secret
    • Make token expiration short -For authorization, use OAuth

Using Role-based Access Control

  • RBAC simplifies access management for APIs and reduces the risk of unauthorized actions.
  • Granular control over user permission based on roles.

Monitoring

  • Monitoring the APIs is the key to detecting issues and threats early.
    • Use tools like Kibana, Cloudwatch, Datadog, and Slack for monitoring
    • Dont log sensitive data like credit card info, passwords, credentials, etc.
Reference in New Issue View Git Blame Copy Permalink