Secure API endpoints
- Author: Leevi Kauranen
- Date / Version: 08/04/2024
User roles
- Dev
- Sec
- Tester
Prerequisites / Conditions
- Condition which should be fulfilled
- Condition which should be existing
Use Case Diagram
Description of use case -eg. Modify existing request
- Developer, Security Analyst, or Tester initiates the process to secure API endpoints.
- The system modifies the existing API endpoints to implement authentication and authorization mechanisms.
- The system ensures that only authorized users with proper credentials can access the API endpoints.
- The system sets up rate limiting to prevent excessive requests and mitigate the risk of Denial of Service (DoS) attacks.
- Cross-Origin Resource Sharing (CORS) headers are configured to control access from different origins, enhancing security.
- Security headers are set using Helmet to protect against common security vulnerabilities.
- Sessions are implemented to provide user authentication, ensuring that only authenticated users can access protected resources.
- HTTPS encryption is enforced to secure communication between clients and the server, preventing eavesdropping and tampering of data.
- Parameter and input validation
Exceptions
-
E1: If the authentication fails, the system responds with an authentication error.
-
E2: If the authorization fails due to insufficient permissions, the system responds with an authorization error.
Result
- Unauthorized access to API endpoints is prevented.
- Only authorized users with appropriate permissions can access the resources.
- Rate limiting ensures that excessive requests are limited, reducing the risk of DoS attacks.
- CORS headers control access from different origins, enhancing security.
- Security headers protect against common security vulnerabilities.
- Sessions provide user authentication, ensuring only authenticated users can access protected resources.
- HTTPS encryption secures communication, preventing eavesdropping and data tampering.
Use frequency
- This use case is executed whenever API endpoints need to be secured against unauthorized access or when implementing new endpoints.
Additional information
- Describe other relevant information related to the use case, such as open issues, references to the codes used, etc.
- This implementation includes libraries such as, CORS, Helmet, Express-session, Express-rate-limit.
Sources
This wiki-document is based on the The public administration recommendations
Thanks to the original authors.