# Best practices you should follow for building a secure REST API (Backend)

***Note: If you are looking for a Full Stack Developer (Django+React), then connect with me on*** [***LinkedIn***](https://www.linkedin.com/in/mnamegaurav/) ***or contact me through my*** [***portfolio***](https://gaurav.devjunction.in/)***.***

# Introduction:

**REST APIs** are everywhere, Rock-solid **authentication** mechanisms are the beginning for **REST** **API** security, but not the end. There are other security best practices to consider during development.

We’ll go through some of the best practices that you can follow to create secure & rock solid **REST APIs**.

# Best Practices:

## Authentication & **authorization**:

Only an **authenticated** person can **request** Data. If you are **authenticated** and are not allowed to access some resource, you should get a **forbidden** error.

## **RBAC (Role Based Access Control):**

`RBAC` lets users access only the information which they need to, and prevents them from accessing information that doesn't belong to them.

***E.g.*** In a School Management System, a student can not access the teacher's data.

## **ABAC (Attribute Based Access Control):**

This is all about limiting the amount of permissions to each role in a system. We have four common kinds of permissions, `Create`, `Read`, `Update`, `Delete`.

A user should not have a permission to perform relevant action if they are not meant to.

***E.g.*** A student should not have `Delete` permissions if it is not required in a School Management System.

## **Implement Pagination:**

Instead of returning all the data in one `request`, you can limit the amount of `data` sent in a single request, let’s say **10 items** in a `request`, and for next **10**, there will be other `request` to be made. Also, it is less **expensive** to send **n items** instead of sending all at once.

***E.g.*** A user is requesting for articles, then just return only **10 articles** in one `request`. Doing this, you can avoid attacks such as **DDoS**.

## **Add throttling or Quota Limits:**

To minimize security risks, you must implement **hourly** or **daily** **rate** **limits**, after which the number of **requests** should be **reduced** or **exhausted**.

If you have public REST APIs, **API keys** can help you to provide a way of controlling access to public **REST** services, it can leverage **API keys** to enforce rate limiting and mitigate **denial-of-service attacks**.

## **Input Validation:**

Do not save any data before proper **validation**. Seems like a small thing, but it is one of the crucial steps while building the **backend** or **REST APIs**.

## **Using HTTPS:**

Using **SSL** adds a security layer to your server, and you can avoid the **Man in the Middle Attack**.

## **Use Tokens for authentication:**

An alternative form of **authentication** for **REST APIs** are **tokens**. **Tokens** are typically used by **client-side** apps and **issued** by the **server**.

**OAuth 2** is a secure token-based authentication mechanism that you can use in an **API** for secure user **authentication** and **authorization**.

You can also implement **JSON Web Token** (**JWT**) as your token architecture for **OAuth 2**.

## **Add timestamp to the requests:**

You can leverage **HTTP** **custom headers**, and add a **timestamp** on each request made from the **client**.

Doing this way, you can measure if the requests has been made within a timeframe like 1 or 3 minutes. You can avoid **Replay Attacks**.

## **Additional Security Headers:**

Additional **HTTP** **security headers** can be set to further restrict the type and scope of requests.

These include `X-Content-Type-Options: nosniff` to prevent **XSS** attacks based on **MIME** **sniffing** and `X-Frame-Options: deny` to prevent **clickjacking** attempts in older browsers.

## **Limit the request body size:**

In **Nginx** and **Apache**, both have a **directive** to control the **maximum** size of a `request`.

In **Nginx,** it is named `client_max_body_size`, its **default** value is **1 MB**, but you can set it according to your need.

In **Apache**, this directive is named `LimitRequestBody`.

## **Blacklist not allowed methods:**

If your endpoint only takes **HTTP** `DELETE` **requests**, then why are you even allowing **HTTP** `POST` requests. Simply block **POST** **requests** and stop giving a chance to an attacker to enter into your system.

> ***For more such crispy blogs daily, follow Dev.Junction, subscribe to our newsletter and get notified.***

## Social Links

* **LinkedIn:** [https://www.linkedin.com/in/mnamegaurav/](https://www.linkedin.com/in/mnamegaurav/)
    
* **YouTube:** [https://www.youtube.com/c/devjunction](https://www.youtube.com/c/devjunction)
    
* **Website:** [https://gaurav.devjunction.in/](https://gaurav.devjunction.in/)
    
* **GitHub:** [https://github.com/mnamegaurav](https://github.com/mnamegaurav)
    
* **Instagram:** [https://www.instagram.com/mnamegaurav/](https://www.instagram.com/mnamegaurav/)
    
* **Twitter:** [https://twitter.com/mnamegaurav](https://twitter.com/mnamegaurav)
