Reblaze Wiki

API Security

API Security

APIs can be private, and only used internally. They can be semi-public; in other words, although they are used in a public context (such as sending data over the Internet), their internal details are restricted to trusted entities. Or they can be public; many applications and services publish their APIs so that external entities can communicate with them.

What is a False Negative Alarm

In web application security, an ideal security system would correctly evaluate all incoming traffic. All legitimate traffic would be allowed, and all hostile traffic would be blocked.

What is API Security?

Software programs use APIs to communicate with each other. They can be used locally or remotely; the programs could be running on the same computer, or they could be running on machines that are separated by multiple time zones.

API Security vs. Traditional Web Security

There’s a “castle and moat” approach. The network has a well-protected perimeter. There are only a few ways through the perimeter, and these access points are heavily guarded. Once requestors are allowed through the perimeter, they’re assumed to be benign.

What is an API Attack

An API attack is hostile usage, or attempted hostile usage, of an API. Below are some of the many ways that attackers can abuse an API endpoint.

What is an API Gateway?

An API gateway is an interface between clients and backend microservices. When a gateway is used, it becomes the single point of contact for clients; it receives their API calls and routes each one to the appropriate backend.

API Security and Native/Mobile Applications

A native application is coded in the primary language for its operating system. (For example, Android-native apps are written in Java.) A mobile application is a native application for a mobile OS (which today is usually Android or iOS).