Skip to content

Secure API endpoints

  • Author: Leevi Kauranen
  • Date / Version: 08/04/2024

User roles

  1. Dev
  2. Sec
  3. Tester

Prerequisites / Conditions

  1. Condition which should be fulfilled
  2. Condition which should be existing

Use Case Diagram

uml diagram

Description of use case -eg. Modify existing request

  1. Developer, Security Analyst, or Tester initiates the process to secure API endpoints.
  2. The system modifies the existing API endpoints to implement authentication and authorization mechanisms.
  3. The system ensures that only authorized users with proper credentials can access the API endpoints.
  4. The system sets up rate limiting to prevent excessive requests and mitigate the risk of Denial of Service (DoS) attacks.
  5. Cross-Origin Resource Sharing (CORS) headers are configured to control access from different origins, enhancing security.
  6. Security headers are set using Helmet to protect against common security vulnerabilities.
  7. Sessions are implemented to provide user authentication, ensuring that only authenticated users can access protected resources.
  8. HTTPS encryption is enforced to secure communication between clients and the server, preventing eavesdropping and tampering of data.
  9. Parameter and input validation

Exceptions

  • E1: If the authentication fails, the system responds with an authentication error.

  • E2: If the authorization fails due to insufficient permissions, the system responds with an authorization error.

Result

  1. Unauthorized access to API endpoints is prevented.
  2. Only authorized users with appropriate permissions can access the resources.
  3. Rate limiting ensures that excessive requests are limited, reducing the risk of DoS attacks.
  4. CORS headers control access from different origins, enhancing security.
  5. Security headers protect against common security vulnerabilities.
  6. Sessions provide user authentication, ensuring only authenticated users can access protected resources.
  7. HTTPS encryption secures communication, preventing eavesdropping and data tampering.

Use frequency

  • This use case is executed whenever API endpoints need to be secured against unauthorized access or when implementing new endpoints.

Additional information

  • Describe other relevant information related to the use case, such as open issues, references to the codes used, etc.
  • This implementation includes libraries such as, CORS, Helmet, Express-session, Express-rate-limit.

Sources

This wiki-document is based on the The public administration recommendations

Thanks to the original authors.