For use with any production API that requires security
Description: This checklist is intended to provide a comprehensive guide for securing REST APIs. It covers various aspects of security, from authentication and authorization to data validation and logging. Use this checklist as a reference for conducting security audits or as a tool to improve the security of your API.
Instructions:
- Review each item in the checklist and make sure it is implemented properly.
- If an item is not applicable or not relevant to your API, note this with a justification.
- Use the checkboxes to indicate whether each item has been implemented or not.
Checklist:
- Secure authentication method: The API uses a secure method for authentication (e.g. OAuth, JSON Web Tokens, etc.).
- Hashed and salted passwords: Passwords are hashed and salted before storage.
- Proper access controls: The API implements proper access controls for sensitive data and operations (e.g. authorization headers, roles and permissions).
- Prevention of brute force attacks: The API has mechanisms in place to detect and prevent brute force attacks (e.g. rate limiting).
- Input validation: The API implements proper input validation on all incoming data (e.g. checking data types, range, length, etc.).
- Data escaping: The API properly escapes all user-supplied data before using it in SQL or other database queries.
- Network encryption: The API uses SSL/TLS encryption for transmitting sensitive data over the network.
- Secure session IDs: The API uses secure session IDs and manages them properly (e.g. using HTTPS-only cookies, rotating session IDs on login, etc.).
- Session hijacking prevention: The API has mechanisms in place to detect and prevent session hijacking attacks (e.g. checking client IP address, user-agent, etc.).
- Event logging: The API has logging in place for all relevant events (e.g. authentication attempts, system errors, etc.).
- Suspicious activity monitoring: The API is regularly monitored for unusual or suspicious activity (e.g. rate of failed login attempts, etc.).
- Critical event alerts: The API implements an alert system for critical security events.
- Trusted libraries: The API only uses trusted third-party libraries and components with a history of security updates and patches.
- Library updates: The API regularly updates all third-party libraries and components to address known security vulnerabilities.
- Secure infrastructure: The API is deployed on a secure and managed infrastructure (e.g. using a cloud provider with a strong security track record).
- Firewall and network security: The API has proper firewall and network security in place (e.g. using VLANs, VPNs, etc.).
- Regular backups: The API has regular backups in place for disaster recovery.
Note: This checklist is not exhaustive and may not cover all possible security concerns. The security of an API should be regularly reviewed and updated to stay up-to-date with the latest threats and best practices.
(see next section for the .NET specific version)
Description: This checklist is intended to provide a comprehensive guide for securing REST APIs using the .NET 7.0 minimum APIs platform. It covers various aspects of security, from authentication and authorization to data validation and logging. Use this checklist as a reference for conducting security audits or as a tool to improve the security of your API.
Instructions:
- Review each item in the checklist and make sure it is implemented properly.
- If an item is not applicable or not relevant to your API, note this with a justification.
- Use the checkboxes to indicate whether each item has been implemented or not.
Checklist:
- Secure authentication method: The API uses a secure method for authentication (e.g. OAuth, JSON Web Tokens, etc.). Recommendation: Use the ASP.NET Core Identity framework to handle authentication and authorization in the API.
- Hashed and salted passwords: Passwords are hashed and salted before storage. Recommendation: Use the ASP.NET Core Identity framework to hash and salt passwords before storage.
- Proper access controls: The API implements proper access controls for sensitive data and operations (e.g. authorization headers, roles and permissions). Recommendation: Use the ASP.NET Core AuthorizeAttribute to control access to specific actions or controllers in the API.
- Prevention of brute force attacks: The API has mechanisms in place to detect and prevent brute force attacks (e.g. rate limiting). Recommendation: Use the ASP.NET Core rate limiting middleware to prevent excessive requests from a single IP address.
- Input validation: The API implements proper input validation on all incoming data (e.g. checking data types, range, length, etc.). Recommendation: Use the ASP.NET Core ModelState class to validate incoming data and return appropriate error messages.
- Data escaping: The API properly escapes all user-supplied data before using it in SQL or other database queries. Recommendation: Use the Microsoft.Data.SqlClient library to escape all user-supplied data before executing database queries.
- Network encryption: The API uses SSL/TLS encryption for transmitting sensitive data over the network. Recommendation: Use the ASP.NET Core middleware to enforce HTTPS for all API requests.
- Secure session IDs: The API uses secure session IDs and manages them properly (e.g. using HTTPS-only cookies, rotating session IDs on login, etc.). Recommendation: Use the ASP.NET Core CookiePolicyOptions to configure secure session IDs in the API.
- Session hijacking prevention: The API has mechanisms in place to detect and prevent session hijacking attacks (e.g. checking client IP address, user-agent, etc.). Recommendation: Use the ASP.NET Core middleware to validate the client IP address and user-agent on each API request.
- Event logging: The API has logging in place for all relevant events (e.g. authentication attempts, system errors, etc.). Recommendation: Use the Microsoft.Extensions.Logging library to implement logging in the API.
- Suspicious activity monitoring