Skip to content

Instantly share code, notes, and snippets.

@anhtuank7c

anhtuank7c/API_guideline.md

Created November 29, 2024 08:00
Show Gist options
  • Save anhtuank7c/dec770ac05c51c6ae0fae8134c10104f to your computer and use it in GitHub Desktop.
Save anhtuank7c/dec770ac05c51c6ae0fae8134c10104f to your computer and use it in GitHub Desktop.
Download ZIP
RESTful Guideline
Raw
API_guideline.md

I'll help you improve the API security and design. Let's analyze the current issues and implement better security practices.

Current Issues:

  1. Exposing secret key as a query parameter is insecure because:
    • It appears in server logs
    • It's visible in browser history
    • It can be intercepted in network traffic
    • It might get cached or bookmarked

Here's a comprehensive solution to improve your API security:

  1. Use Authentication Headers Instead of Query Parameters
Authorization: Bearer <jwt_token>
  1. Implement Token-based Authentication (JWT) The flow should be:
1. Client authenticates → receives JWT token
2. Client uses token for subsequent requests
3. Token expires after set time

Here's a more secure API design:

  1. Authentication Endpoint:
POST /api/auth/login
Body: {
    "username": "user",
    "password": "pass"
}
Response: {
    "access_token": "eyJhbG...",
    "expires_in": 3600
}
  1. Protected Resource Endpoint:
GET /api/roblox/orders/{orderId}/items/{itemId}
Headers: {
    "Authorization": "Bearer eyJhbG..."
}

Additional Security Improvements:

  1. Use HTTPS Only
# Nginx configuration
server {
    listen 443 ssl;
    ssl_protocols TLSv1.2 TLSv1.3;
    # ... other SSL configurations
}
  1. Implement Rate Limiting
# Nginx rate limiting
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;

location /api/ {
    limit_req zone=api_limit burst=20;
}
  1. Add Request Validation:
  • Validate request parameters
  • Add request ID for tracking
  • Implement API versioning
  1. Security Headers:
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
  1. Error Handling:
{
    "status": 401,
    "error": "Unauthorized",
    "message": "Invalid or expired token",
    "timestamp": "2024-11-27T10:00:00Z",
    "requestId": "req-123xyz"
}

Here's a code example for implementing JWT authentication:

This implementation provides several security improvements:

  1. JWT-based authentication
  2. Request validation
  3. Error handling with proper status codes
  4. Rate limiting
  5. Security headers using helmet
  6. Request tracking with unique IDs
  7. Environment-based configuration
  8. Proper route structuring
  9. Input validation
  10. Secure password handling with bcrypt

To use this API:

  1. First, authenticate:
curl -X POST https://api.yourdomain.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username": "user", "password": "pass"}'
  1. Then use the token for subsequent requests:
curl https://api.yourdomain.com/api/roblox/orders/232817173267878040942/items/1 \
  -H "Authorization: Bearer eyJhbG..."

Additional Recommendations:

  1. Store sensitive data in environment variables:
JWT_SECRET=your-secure-secret
NODE_ENV=production
  1. Implement refresh tokens for better security
  2. Add API documentation using OpenAPI/Swagger
  3. Implement request logging
  4. Set up monitoring and alerting
  5. Regularly rotate secrets and tokens
  6. Implement CORS properly
  7. Consider using API Gateway for additional security layers

Would you like me to elaborate on any of these aspects or provide additional examples for specific security features?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment