Securing REST APIs: Essential Patterns and Practices
Whitespots Team ·
api-security
rest-api
backend
Introduction
REST APIs are the backbone of modern applications, but they’re also prime targets for attackers. From credential stuffing to data exfiltration, API vulnerabilities can lead to severe security breaches. This article covers essential security patterns for protecting your REST APIs.
Common API Security Threats
- Broken Authentication - Weak or missing authentication mechanisms
- Excessive Data Exposure - APIs returning more data than necessary
- Lack of Rate Limiting - Vulnerability to brute force and DoS attacks
- Mass Assignment - Allowing users to modify unintended object properties
- Injection Attacks - SQL, NoSQL, Command injection through API inputs
Rate Limiting Implementation
Protect your API from abuse with rate limiting:
javascriptconst rateLimit = require('express-rate-limit'); const RedisStore = require('rate-limit-redis'); const Redis = require('ioredis'); const redis = new Redis({ host: process.env.REDIS_HOST, port: process.env.REDIS_PORT, }); // General API rate limiter const apiLimiter = rateLimit({ store: new RedisStore({ client: redis, prefix: 'rl:api:', }), windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // Limit each IP to 100 requests per windowMs message: { error: 'Too many requests, please try again later.', }, standardHeaders: true, legacyHeaders: false, }); // Stricter limiter for authentication endpoints const authLimiter = rateLimit({ store: new RedisStore({ client: redis, prefix: 'rl:auth:', }), windowMs: 15 * 60 * 1000, max: 5, // Only 5 login attempts per 15 minutes skipSuccessfulRequests: true, message: { error: 'Too many login attempts, please try again later.', }, }); // Apply to routes app.use('/api/', apiLimiter); app.use('/api/auth/login', authLimiter);
Input Validation and Sanitization
javascriptconst { body, param, query, validationResult } = require('express-validator'); // Validation middleware const validateUser = [ body('email') .isEmail() .normalizeEmail() .withMessage('Invalid email address'), body('username') .trim() .isLength({ min: 3, max: 30 }) .matches(/^[a-zA-Z0-9_]+$/) .withMessage('Username must be 3-30 alphanumeric characters'), body('age') .optional() .isInt({ min: 18, max: 120 }) .withMessage('Age must be between 18 and 120'), body('role') .optional() .isIn(['user', 'moderator']) .withMessage('Invalid role'), ]; // Error handling middleware const handleValidationErrors = (req, res, next) => { const errors = validationResult(req); if (!errors.isEmpty()) { return res.status(400).json({ error: 'Validation failed', details: errors.array(), }); } next(); }; // Use in route app.post('/api/users', validateUser, handleValidationErrors, createUser );
Preventing Mass Assignment
javascript// VULNERABLE: Direct assignment from user input app.put('/api/users/:id', async (req, res) => { const user = await User.findById(req.params.id); Object.assign(user, req.body); // Dangerous! await user.save(); // Attacker could send: { isAdmin: true, verified: true } }); // SECURE: Explicitly allow only certain fields const allowedFields = ['username', 'email', 'bio', 'avatar']; app.put('/api/users/:id', async (req, res) => { const user = await User.findById(req.params.id); // Only update allowed fields const updates = {}; allowedFields.forEach(field => { if (req.body[field] !== undefined) { updates[field] = req.body[field]; } }); Object.assign(user, updates); await user.save(); res.json({ user: sanitizeUser(user) }); }); // Helper to remove sensitive fields from response function sanitizeUser(user) { const { password, resetToken, ...safeUser } = user.toObject(); return safeUser; }
Preventing Excessive Data Exposure
javascript// VULNERABLE: Returning everything app.get('/api/users/:id', async (req, res) => { const user = await User.findById(req.params.id); res.json(user); // Includes password hash, internal fields, etc. }); // SECURE: Use DTOs (Data Transfer Objects) class UserDTO { constructor(user) { this.id = user._id; this.username = user.username; this.email = user.email; this.avatar = user.avatar; this.createdAt = user.createdAt; // Only expose necessary fields } } app.get('/api/users/:id', async (req, res) => { const user = await User.findById(req.params.id) .select('-password -resetToken -__v'); // Exclude sensitive fields if (!user) { return res.status(404).json({ error: 'User not found' }); } res.json(new UserDTO(user)); }); // Even better: Use different DTOs for different contexts class PublicUserDTO { constructor(user) { this.id = user._id; this.username = user.username; this.avatar = user.avatar; } } class PrivateUserDTO extends PublicUserDTO { constructor(user) { super(user); this.email = user.email; this.preferences = user.preferences; } }
Authorization Checks
javascript// Authorization middleware function requireRole(...allowedRoles) { return (req, res, next) => { if (!req.user) { return res.status(401).json({ error: 'Authentication required' }); } if (!allowedRoles.includes(req.user.role)) { return res.status(403).json({ error: 'Insufficient permissions' }); } next(); }; } // Resource ownership check async function requireOwnership(req, res, next) { const resource = await Resource.findById(req.params.id); if (!resource) { return res.status(404).json({ error: 'Resource not found' }); } // Check if user owns the resource or is admin if (resource.userId.toString() !== req.user.userId && req.user.role !== 'admin') { return res.status(403).json({ error: 'Access denied' }); } req.resource = resource; next(); } // Usage app.delete('/api/posts/:id', authenticateToken, requireOwnership, deletePost ); app.get('/api/admin/users', authenticateToken, requireRole('admin', 'superadmin'), listUsers );
API Security Headers
javascriptconst helmet = require('helmet'); app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], }, }, hsts: { maxAge: 31536000, includeSubDomains: true, preload: true, }, })); // Additional security headers app.use((req, res, next) => { res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('X-Frame-Options', 'DENY'); res.setHeader('X-XSS-Protection', '1; mode=block'); res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin'); next(); });
Logging and Monitoring
javascriptconst winston = require('winston'); const logger = winston.createLogger({ level: 'info', format: winston.format.json(), transports: [ new winston.transports.File({ filename: 'error.log', level: 'error' }), new winston.transports.File({ filename: 'combined.log' }), ], }); // Security event logging middleware app.use((req, res, next) => { const startTime = Date.now(); res.on('finish', () => { const duration = Date.now() - startTime; logger.info({ method: req.method, path: req.path, status: res.statusCode, duration, ip: req.ip, userId: req.user?.userId, userAgent: req.get('user-agent'), }); // Log security-relevant events if (res.statusCode === 401 || res.statusCode === 403) { logger.warn({ event: 'unauthorized_access', method: req.method, path: req.path, ip: req.ip, userId: req.user?.userId, }); } }); next(); });
API Security Checklist
- ✅ Implement authentication and authorization
- ✅ Use HTTPS for all endpoints
- ✅ Apply rate limiting
- ✅ Validate and sanitize all inputs
- ✅ Prevent mass assignment
- ✅ Avoid excessive data exposure
- ✅ Use security headers (Helmet.js)
- ✅ Implement proper error handling (don’t leak stack traces)
- ✅ Log security events
- ✅ Keep dependencies updated
- ✅ Use API versioning
- ✅ Implement CORS properly
- ✅ Regular security testing and audits
Conclusion
Securing REST APIs requires a multi-layered approach combining authentication, authorization, input validation, rate limiting, and monitoring. By implementing these patterns, you significantly reduce your API’s attack surface.
Regular security assessments are crucial for identifying vulnerabilities before they’re exploited. Contact Whitespots for professional API security testing and consultation.
