Best practices you should follow for building a secure REST API (Backend)

Best practices you should follow for building a secure REST API (Backend)

REST APIs are everywhere, We’ll go through some of the best practices that you can follow to create secure & rock solid REST APIs.

Note: If you are looking for a Full Stack Developer (Django+React), then connect with me on LinkedIn or contact me through my portfolio.


REST APIs are everywhere, Rock-solid authentication mechanisms are the beginning for REST API security, but not the end. There are other security best practices to consider during development.

We’ll go through some of the best practices that you can follow to create secure & rock solid REST APIs.

Best Practices:

Authentication & authorization:

Only an authenticated person can request Data. If you are authenticated and are not allowed to access some resource, you should get a forbidden error.

RBAC (Role Based Access Control):

RBAC lets users access only the information which they need to, and prevents them from accessing information that doesn't belong to them.

E.g. In a School Management System, a student can not access the teacher's data.

ABAC (Attribute Based Access Control):

This is all about limiting the amount of permissions to each role in a system. We have four common kinds of permissions, Create, Read, Update, Delete.

A user should not have a permission to perform relevant action if they are not meant to.

E.g. A student should not have Delete permissions if it is not required in a School Management System.

Implement Pagination:

Instead of returning all the data in one request, you can limit the amount of data sent in a single request, let’s say 10 items in a request, and for next 10, there will be other request to be made. Also, it is less expensive to send n items instead of sending all at once.

E.g. A user is requesting for articles, then just return only 10 articles in one request. Doing this, you can avoid attacks such as DDoS.

Add throttling or Quota Limits:

To minimize security risks, you must implement hourly or daily rate limits, after which the number of requests should be reduced or exhausted.

If you have public REST APIs, API keys can help you to provide a way of controlling access to public REST services, it can leverage API keys to enforce rate limiting and mitigate denial-of-service attacks.

Input Validation:

Do not save any data before proper validation. Seems like a small thing, but it is one of the crucial steps while building the backend or REST APIs.

Using HTTPS:

Using SSL adds a security layer to your server, and you can avoid the Man in the Middle Attack.

Use Tokens for authentication:

An alternative form of authentication for REST APIs are tokens. Tokens are typically used by client-side apps and issued by the server.

OAuth 2 is a secure token-based authentication mechanism that you can use in an API for secure user authentication and authorization.

You can also implement JSON Web Token (JWT) as your token architecture for OAuth 2.

Add timestamp to the requests:

You can leverage HTTP custom headers, and add a timestamp on each request made from the client.

Doing this way, you can measure if the requests has been made within a timeframe like 1 or 3 minutes. You can avoid Replay Attacks.

Additional Security Headers:

Additional HTTP security headers can be set to further restrict the type and scope of requests.

These include X-Content-Type-Options: nosniff to prevent XSS attacks based on MIME sniffing and X-Frame-Options: deny to prevent clickjacking attempts in older browsers.

Limit the request body size:

In Nginx and Apache, both have a directive to control the maximum size of a request.

In Nginx, it is named client_max_body_size, its default value is 1 MB, but you can set it according to your need.

In Apache, this directive is named LimitRequestBody.

Blacklist not allowed methods:

If your endpoint only takes HTTP DELETE requests, then why are you even allowing HTTP POST requests. Simply block POST requests and stop giving a chance to an attacker to enter into your system.

For more such crispy blogs daily, follow Dev.Junction, subscribe to our newsletter and get notified.

Did you find this article valuable?

Support Dev.Junction by becoming a sponsor. Any amount is appreciated!