B.12 - API Security
Note: For reasons of simplification, some of the following requirements that refer to API apply to all technical implementation variants such as XML WebServices, GraphQL or REST APIs.
B.12.1 General
- APIs MUST not be exposed unless required.
- External APIs SHOULD only be made available using a hardened service or API gateway (see [A.5.5 Isolation of External Systems}(/Controls/SSDLC_Secure-Operation#a55-isolation-of-external-systems).
- APIs MUST be restrictively validated, preferably using OpenAPI Schema (see B.2 - Input Validation).
- APIs SHOULD implement restrictive limits based on business requirements (aka rate limiting, e.g. max. requests per client within a time interval)1.
B.12.2 Authentication
- The strength of the authentication mechanism used MUST be adequate to the protection needs.
- Shared secrets used for API authentication (e.g. API keys or OAuth 2.0 Client Secrets) MUST have the following characteristics:
- Implemented according to B.10.5 Tokens / Keys
- Stored securely according to the requirements specified in B.11 - Protection of Secrets
- Transmitted outside of URLs (e.g. via HTTP POST or HTTP header).
- Authentication credentials MUST be unique for each service/system and environment (e.g. serviceX in dev, serviceX test, serviceX in production).
B.12.3 Access Tokens
- Access to APIs with risk class >= [HIGH] SHOULD be granted using Access Tokens (OAuth 2.0 or SAML).
- The following requirements MUST apply to access tokens:
- Short-lived (minutes or hours)
- Implemented according to B.10.5 Tokens / Keys
- Restrictive scope & audience
- Transmitted only via HTTPS/TLS
- Issued by a trusted and hardened access server (e.g. OIDC Identity Server or OAuth 2.0 Authorization Server)
- created and validated using mature frameworks.
- signed (preferably using public key cryptography)2
- If the token is encoded as a JSON Web Token (JWT), the encryption method MUST be verified2.
B.12.4 OAuth 2.0/OICD Requirements
- For user authentication (3-legged):
- Authorization Code Grant with PKCE (or alternative authorization code binding technique, e.g. “state” binding or OICD Nounces) for both public clients (e.g. single-page applications (SPAs)3 SHOULD be used for both public and confidential clients (e.g. server-side web apps).4
- For CSRF protection, Authorization Code Grant Flows MUST either use the “state” parameter, PKCE, or “OICD Nounces”
- Clients MUST register (and be validated using) full redirect URI as described in RFC 6819 Section 5.2.3.5 (no pattern matching).
- Refresh tokens MUST be secured according to B.11 - Protection of Secrets
- Service-to-service access SHOULD be protected using Client Credential Grants.
- HTTPS MUST be used for all communication.
See also requirements B.12.3 Access Tokens.
B.12.5 Frontend APIs
APIs that are used as a backend for client-side frontend (e.g. SPAs):
- MUST implement the same security requirements for access to external resources as the corresponding UI (authentication, validation, etc.)
- MUST not contain script code (e.g. JavaScript) that is directly executable
- MUST contain CSRF protection if working in user context (see B.7 - Secure Session Management)
B.12.6 Cross-Domain Access
- Cross-domain requests MUST be performed using secure mechanisms such as Cross-Origin Resource Sharing (CORS) and a restrictive policy (e.g. restricted so certain hosts or domains or with credential submission deactivated).
- The origin header of cross-domain requests MUST be authorized on the server side.
B.12.7 WebSockets
WebSockets MUST transfer all confidential data with wss://
schema and an additional server-side authorization of the source origin header.
-
This control aims to prevent denial-of-service (DoS) conditions, which can occur both deliberately and accidentally, such as those triggered by a client malfunction. ↩
-
See B.10 - Data Security for requirements about allowed algorithm and ciphers used here. ↩ ↩2
-
See https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-00 ↩
-
See https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14 ↩