info/developer-roadmap
1
0
Fork 0
mirror of https://github.com/kamranahmedse/developer-roadmap.git synced 2025-08-26 18:44:57 +02:00
Code Issues Releases Wiki Activity

Add content to API security best practices

Browse Source
This commit is contained in:
Kamran Ahmed
2023-02-21 15:48:03 +00:00
parent 5e75026424
commit dfc2d39427
3 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/data/best-practices/api-security/content/directory-listings.md
View File

@@ -1 +1,7 @@
# Directory listings
# Directory Listings
> Turn off directory listings
Directory listings are a feature of web servers that allow users to view the contents of a directory on a server. By default, web servers often have directory listings enabled, which means that anyone who has access to the server can see all the files and directories in a given folder.
Turning off directory listings is important for API security because it prevents attackers from gaining access to sensitive files and directories on the server. If directory listings are enabled and an attacker gains access to the server, they can easily view and download any files that are not properly protected. By disabling directory listings, you can ensure that only authorized users can access the files and directories on the server.

10
src/data/best-practices/api-security/content/oauth-redirect-ui.md
View File

@@ -1 +1,9 @@
# Oauth redirect ui
# redirect_uri
> Validate `redirect_uri on server-side to prevent open redirect attacks.
In OAuth, `redirect_uri` is a parameter that specifies the URI (Uniform Resource Identifier) that the authorization server should redirect the user to after authentication is complete. The `redirect_uri` is often used in the OAuth flow to return an authorization code or access token to the client application.
It is important to validate the `redirect_uri` on the server-side to prevent attacks such as open redirection attacks. In an open redirection attack, an attacker can modify the `redirect_uri` parameter to redirect the user to a malicious website. By validating the `redirect_uri` on the server-side, you can ensure that the redirect URI is a valid and authorized URI for the client application.
Validating the `redirect_uri` on the server-side can also prevent other types of attacks such as phishing attacks or cross-site request forgery (CSRF) attacks. By verifying that the `redirect_uri` matches a predefined list of authorized URIs, you can ensure that the user is redirected to a trusted site after authentication is complete.

7
src/data/best-practices/api-security/content/restrict-private-apis.md
View File

@@ -1 +1,6 @@
# Restrict private apis
# Restrict Private APIs
> Private APIs should only be accessible from safe listed IPs
Private APIs should only be accessible from safe-listed IPs to ensure that only authorized users or systems can access the API. By restricting access to specific IP addresses, you can prevent unauthorized access from external networks or malicious actors. This can help to protect sensitive data and prevent attacks such as DDoS or brute-force attacks. Additionally, restricting access to safe-listed IPs can help to ensure the reliability and performance of the API by preventing excessive traffic from unauthorized sources.