From 43d47a88601b453c1f7bed73c460399d0163ccf2 Mon Sep 17 00:00:00 2001 From: zmelliti Date: Sun, 26 Oct 2025 21:23:43 +0100 Subject: [PATCH 1/2] Add API Security Cheat Sheet --- cheatsheets/API_Security_Cheat_Sheet.md | 441 ++++++++++++++++++++++++ 1 file changed, 441 insertions(+) create mode 100644 cheatsheets/API_Security_Cheat_Sheet.md diff --git a/cheatsheets/API_Security_Cheat_Sheet.md b/cheatsheets/API_Security_Cheat_Sheet.md new file mode 100644 index 0000000000..f1da345a28 --- /dev/null +++ b/cheatsheets/API_Security_Cheat_Sheet.md @@ -0,0 +1,441 @@ +# API Security Cheat Sheet + +## Introduction + +APIs (Application Programming Interfaces) have become the backbone of modern applications, enabling communication between different systems, services, and applications. As organizations increasingly adopt microservices architectures and API-first approaches, securing these interfaces becomes critical to protecting sensitive data and maintaining system integrity. + +This cheat sheet provides technology-agnostic security guidance applicable to all API types including REST, GraphQL, gRPC, WebSocket, SOAP, and emerging API patterns. It consolidates the [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) vulnerabilities with practical security controls and serves as a unified entry point for API security guidance. + +For technology-specific implementations, refer to the dedicated cheat sheets: [REST Security](REST_Security_Cheat_Sheet.md), [GraphQL](GraphQL_Cheat_Sheet.md), [gRPC Security](gRPC_Security_Cheat_Sheet.md), and [Web Service Security](Web_Service_Security_Cheat_Sheet.md). + +## OWASP API Security Top 10 + +### API1:2023 Broken Object Level Authorization (BOLA) + +**Risk**: Attackers can access objects they shouldn't by manipulating object identifiers in API calls. + +**Prevention**: + +- Implement proper authorization checks for every object access +- Use user-specific object references instead of direct database IDs +- Validate user permissions for each requested object +- Implement consistent authorization mechanisms across all endpoints + +```javascript +// Secure - User context validation +function getOrder(userId, orderId) { + if (!orderBelongsToUser(orderId, userId)) { + throw new Error('Unauthorized'); + } + return getOrderById(orderId); +} +``` + +### API2:2023 Broken Authentication + +**Risk**: Poorly implemented authentication allows attackers to compromise authentication tokens or exploit implementation flaws. + +**Prevention**: + +- Use established authentication standards (OAuth 2.0, OpenID Connect) +- Implement proper session management +- Use strong password policies and multi-factor authentication +- Secure credential storage and transmission +- Implement account lockout mechanisms + +**Key Controls**: + +- Always use HTTPS for authentication endpoints +- Implement proper token expiration and refresh mechanisms +- Use secure, random session identifiers +- Validate authentication tokens on every request + +For more information, see [Authentication Cheat Sheet](Authentication_Cheat_Sheet.md) and [Session Management Cheat Sheet](Session_Management_Cheat_Sheet.md). + +### API3:2023 Broken Object Property Level Authorization + +**Risk**: Lack of proper authorization validation for object properties leads to information disclosure or unauthorized modifications. + +**Prevention**: + +- Implement field-level authorization controls +- Use data transfer objects (DTOs) to control exposed properties +- Validate user permissions for each property access +- Implement consistent property-level security across endpoints + +```java +// Secure property filtering based on user role +public UserDTO serializeUser(User user, String userRole) { + UserDTO dto = new UserDTO(user.getId(), user.getName(), user.getEmail()); + + if ("admin".equals(userRole)) { + dto.setSsn(user.getSsn()); + dto.setSalary(user.getSalary()); + } + return dto; +} +``` + +### API4:2023 Unrestricted Resource Consumption + +**Risk**: APIs without proper resource limits can be overwhelmed, leading to denial of service. + +**Prevention**: + +- Implement rate limiting per user/IP/API key +- Set maximum request size limits +- Implement timeout controls +- Use pagination for large data sets +- Monitor and alert on unusual resource consumption + +**Implementation Examples**: + +```yaml +# Rate limiting configuration +rate_limits: + per_user: 1000/hour + per_ip: 100/minute + per_endpoint: 10/second + +resource_limits: + max_request_size: 10MB + max_response_size: 50MB + request_timeout: 30s +``` + +### API5:2023 Broken Function Level Authorization + +**Risk**: Complex access control policies with different hierarchies and groups can lead to authorization flaws. + +**Prevention**: + +- Implement role-based access control (RBAC) +- Use principle of least privilege +- Regularly audit and test authorization logic +- Implement consistent authorization checks across all functions + +```java +// Secure function-level authorization +@PreAuthorize("hasRole('ADMIN') or (hasRole('USER') and #userId == authentication.principal.id)") +public User updateUser(@PathVariable Long userId, @RequestBody User user) { + return userService.updateUser(userId, user); +} +``` + +For more information, see [Authorization Cheat Sheet](Authorization_Cheat_Sheet.md). + +### API6:2023 Unrestricted Access to Sensitive Business Flows + +**Risk**: Lack of understanding of business flows can lead to abuse of legitimate functionality. + +**Prevention**: + +- Identify and protect sensitive business flows +- Implement business logic validation +- Use CAPTCHA or similar mechanisms for sensitive operations +- Monitor for unusual patterns in business flow usage +- Implement transaction limits and approval workflows + +For more information on preventing abuse, see [Denial of Service Cheat Sheet](Denial_of_Service_Cheat_Sheet.md). + +### API7:2023 Server Side Request Forgery (SSRF) + +**Risk**: APIs that fetch remote resources without validating user-supplied URLs can be exploited to access internal systems. + +**Prevention**: + +- Validate and sanitize all user-supplied URLs +- Use allowlists for permitted domains/IPs +- Implement network segmentation +- Disable unused URL schemas (file://, gopher://, etc.) +- Use dedicated services for external requests + +```javascript +// Secure URL validation +function isSafeUrl(url) { + const parsed = new URL(url); + + // Only allow HTTP/HTTPS + if (!['http:', 'https:'].includes(parsed.protocol)) { + return false; + } + + // Check against allowlist + return ALLOWED_DOMAINS.includes(parsed.hostname); +} +``` + +For more information, see [Server Side Request Forgery Prevention Cheat Sheet](Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md). + +### API8:2023 Security Misconfiguration + +**Risk**: Insecure default configurations, incomplete configurations, or misconfigured HTTP headers. + +**Prevention**: + +- Use security-focused configuration templates +- Regularly update and patch all components +- Implement proper error handling without information disclosure +- Configure security headers appropriately +- Disable unnecessary features and endpoints + +**Security Headers for APIs**: + +```http +Strict-Transport-Security: max-age=31536000; includeSubDomains +X-Content-Type-Options: nosniff +X-Frame-Options: DENY +Content-Security-Policy: default-src 'none' +Cache-Control: no-store +``` + +For more information, see [HTTP Headers Cheat Sheet](HTTP_Headers_Cheat_Sheet.md). + +### API9:2023 Improper Inventory Management + +**Risk**: Outdated API versions, missing patches, or unprotected debug endpoints. + +**Prevention**: + +- Maintain comprehensive API inventory +- Implement proper API versioning strategy +- Regularly audit and decommission unused APIs +- Monitor all API endpoints and versions +- Implement consistent security controls across all API versions + +### API10:2023 Unsafe Consumption of APIs + +**Risk**: Trusting data received from third-party APIs without proper validation. + +**Prevention**: + +- Validate all data received from external APIs +- Implement proper error handling for third-party API failures +- Use secure communication channels (TLS) +- Implement timeout and retry mechanisms +- Monitor third-party API dependencies + +For more information on secure integrations, see [Third Party Javascript Management Cheat Sheet](Third_Party_Javascript_Management_Cheat_Sheet.md). + +## Core Security Controls + +### Transport Security + +**Always Use HTTPS**: + +- Enforce TLS 1.2 or higher for all API communications +- Use strong cipher suites and disable weak protocols +- Implement HTTP Strict Transport Security (HSTS) +- Consider mutual TLS (mTLS) for service-to-service communication + +### Authentication and Authorization + +**Token-Based Authentication**: + +- Use industry-standard tokens (JWT, OAuth 2.0) +- Implement proper token validation and expiration +- Use secure token storage mechanisms +- Implement token refresh strategies + +For more information, see [JSON Web Token for Java Cheat Sheet](JSON_Web_Token_for_Java_Cheat_Sheet.md). + +**API Key Management**: + +- Generate cryptographically strong API keys +- Implement key rotation policies +- Monitor API key usage patterns +- Revoke compromised keys immediately + +For more information on key management, see [Key Management Cheat Sheet](Key_Management_Cheat_Sheet.md). + +### Input Validation and Data Security + +**Comprehensive Input Validation**: + +- Validate all input parameters (headers, query parameters, body) +- Use strong typing and schema validation +- Implement allowlist validation where possible +- Sanitize data before processing + +For more information on detailed validation techniques, see [Input Validation Cheat Sheet](Input_Validation_Cheat_Sheet.md). + +**Output Encoding**: + +- Encode output data appropriately for the context +- Prevent injection attacks through proper encoding +- Use content-type headers correctly + +For more information on injection prevention techniques, see [Injection Prevention Cheat Sheet](Injection_Prevention_Cheat_Sheet.md), [SQL Injection Prevention Cheat Sheet](SQL_Injection_Prevention_Cheat_Sheet.md), and [OS Command Injection Defense Cheat Sheet](OS_Command_Injection_Defense_Cheat_Sheet.md). + +### Error Handling and Logging + +**Secure Error Responses**: + +- Return generic error messages to clients +- Log detailed errors server-side for debugging +- Use appropriate HTTP status codes +- Avoid exposing system internals in error messages + +**Security Logging**: + +- Log all authentication and authorization events +- Monitor for suspicious patterns and anomalies +- Implement centralized logging for distributed systems +- Ensure logs don't contain sensitive data + +For more information, see [Logging Cheat Sheet](Logging_Cheat_Sheet.md) and [Error Handling Cheat Sheet](Error_Handling_Cheat_Sheet.md). + +## API Gateway Security + +### Centralized Security Controls + +API gateways provide a centralized point for implementing security controls: + +- **Authentication and Authorization**: Centralized token validation +- **Rate Limiting**: Consistent rate limiting across all APIs +- **Request/Response Filtering**: Content validation and sanitization +- **Monitoring and Analytics**: Centralized logging and monitoring + +### Gateway Configuration Best Practices + +```yaml +# Example API Gateway Security Configuration +security: + authentication: + - jwt_validation + - api_key_validation + + rate_limiting: + default: 1000/hour + premium: 10000/hour + + request_filtering: + max_size: 10MB + content_types: ['application/json', 'application/xml'] + + response_filtering: + remove_headers: ['Server', 'X-Powered-By'] + add_headers: + 'X-Content-Type-Options': 'nosniff' + 'X-Frame-Options': 'DENY' +``` + +## Microservices API Security + +### Service-to-Service Communication + +- Implement mutual TLS (mTLS) for service authentication +- Use service mesh for consistent security policies +- Implement circuit breakers for resilience +- Use secure service discovery mechanisms + +For comprehensive microservices security guidance, see [Microservices Security Cheat Sheet](Microservices_Security_Cheat_Sheet.md). + +### Zero Trust Architecture + +- Verify every request regardless of source +- Implement least privilege access controls +- Use identity-based security policies +- Monitor all service communications + +For more information on zero trust architecture, see [Zero Trust Architecture Cheat Sheet](Zero_Trust_Architecture_Cheat_Sheet.md). + +## API Versioning Security + +### Version Management + +- Maintain security parity across API versions +- Implement deprecation policies for old versions +- Use semantic versioning for clear communication +- Document security changes between versions + +For more information on secure development practices, see [Secure Code Review Cheat Sheet](Secure_Code_Review_Cheat_Sheet.md). + +### Backward Compatibility + +- Ensure security controls are not weakened in new versions +- Migrate users from deprecated versions securely +- Maintain security patches for supported versions + +## Testing and Validation + +### Security Testing + +**Automated Security Testing**: + +- Integrate security tests into CI/CD pipelines +- Use SAST/DAST tools for API security scanning +- Implement contract testing for API specifications +- Perform regular penetration testing + +For more information on testing approaches, see [Attack Surface Analysis Cheat Sheet](Attack_Surface_Analysis_Cheat_Sheet.md). + +**Manual Security Testing**: + +- Test authentication and authorization boundaries +- Validate input handling and error responses +- Test business logic and workflow security +- Verify security controls under load + +### API Documentation Security + +- Keep API documentation up-to-date with security requirements +- Document authentication and authorization requirements +- Provide security examples and best practices +- Restrict access to internal API documentation + +## Monitoring and Incident Response + +### Security Monitoring + +**Key Metrics to Monitor**: + +- Authentication failure rates +- Authorization violations +- Rate limit violations +- Unusual traffic patterns +- Error rates and types + +**Alerting and Response**: + +- Implement real-time security alerting +- Define incident response procedures +- Maintain security playbooks for common scenarios +- Regular security incident drills + +### Threat Intelligence + +- Monitor for API-specific threats and vulnerabilities +- Subscribe to security advisories for used technologies +- Participate in threat intelligence sharing +- Regular security assessments and audits + +## Compliance and Governance + +### Regulatory Compliance + +- Understand applicable regulations (GDPR, CCPA, PCI-DSS) +- Implement data protection controls +- Maintain audit trails for compliance +- Regular compliance assessments + +For more information on privacy protection, see [User Privacy Protection Cheat Sheet](User_Privacy_Protection_Cheat_Sheet.md). + +### API Governance + +- Establish API security standards and guidelines +- Implement security review processes +- Maintain API security policies +- Regular security training for development teams + +## References + +- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) +- [OpenAPI Security Specification](https://swagger.io/specification/#security-scheme-object) +- [NIST SP 800-204 - Security Strategies for Microservices](https://csrc.nist.gov/publications/detail/sp/800-204/final) +- [REST Security Cheat Sheet](REST_Security_Cheat_Sheet.md) +- [GraphQL Cheat Sheet](GraphQL_Cheat_Sheet.md) +- [gRPC Security Cheat Sheet](gRPC_Security_Cheat_Sheet.md) +- [Web Service Security Cheat Sheet](Web_Service_Security_Cheat_Sheet.md) +- [Authentication Cheat Sheet](Authentication_Cheat_Sheet.md) +- [Authorization Cheat Sheet](Authorization_Cheat_Sheet.md) From da1e43bc0b9e0c5c9d4a0d45aa76bd5ebc962153 Mon Sep 17 00:00:00 2001 From: zmelliti Date: Mon, 3 Nov 2025 20:26:57 +0100 Subject: [PATCH 2/2] Enhance API Security Cheat Sheet: Complete implementations, versioning security, performance considerations --- cheatsheets/API_Security_Cheat_Sheet.md | 965 +++++++++++++++--------- 1 file changed, 625 insertions(+), 340 deletions(-) diff --git a/cheatsheets/API_Security_Cheat_Sheet.md b/cheatsheets/API_Security_Cheat_Sheet.md index f1da345a28..2140095aa4 100644 --- a/cheatsheets/API_Security_Cheat_Sheet.md +++ b/cheatsheets/API_Security_Cheat_Sheet.md @@ -2,440 +2,725 @@ ## Introduction -APIs (Application Programming Interfaces) have become the backbone of modern applications, enabling communication between different systems, services, and applications. As organizations increasingly adopt microservices architectures and API-first approaches, securing these interfaces becomes critical to protecting sensitive data and maintaining system integrity. +This cheat sheet provides **enterprise-grade API security patterns** that apply across all API technologies. It focuses on architectural security not covered by protocol-specific implementations. -This cheat sheet provides technology-agnostic security guidance applicable to all API types including REST, GraphQL, gRPC, WebSocket, SOAP, and emerging API patterns. It consolidates the [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) vulnerabilities with practical security controls and serves as a unified entry point for API security guidance. +### What This Sheet Covers -For technology-specific implementations, refer to the dedicated cheat sheets: [REST Security](REST_Security_Cheat_Sheet.md), [GraphQL](GraphQL_Cheat_Sheet.md), [gRPC Security](gRPC_Security_Cheat_Sheet.md), and [Web Service Security](Web_Service_Security_Cheat_Sheet.md). +**Enterprise Security Patterns:** -## OWASP API Security Top 10 +- Multi-tenant isolation and data segregation +- Cross-organization API federation +- Centralized gateway security enforcement +- Automated threat response and orchestration -### API1:2023 Broken Object Level Authorization (BOLA) +**Universal Security Controls:** -**Risk**: Attackers can access objects they shouldn't by manipulating object identifiers in API calls. +- Technology-agnostic authentication and authorization +- Cross-protocol rate limiting and throttling +- Unified security testing approaches -**Prevention**: +### What This Sheet Does NOT Cover -- Implement proper authorization checks for every object access -- Use user-specific object references instead of direct database IDs -- Validate user permissions for each requested object -- Implement consistent authorization mechanisms across all endpoints +**Protocol-Specific Security** (see dedicated sheets): -```javascript -// Secure - User context validation -function getOrder(userId, orderId) { - if (!orderBelongsToUser(orderId, userId)) { - throw new Error('Unauthorized'); - } - return getOrderById(orderId); -} -``` - -### API2:2023 Broken Authentication +- REST APIs → [REST Security Cheat Sheet](REST_Security_Cheat_Sheet.md) +- GraphQL APIs → [GraphQL Cheat Sheet](GraphQL_Cheat_Sheet.md) +- gRPC APIs → [gRPC Security Cheat Sheet](gRPC_Security_Cheat_Sheet.md) +- WebSocket APIs → [WebSocket Security Cheat Sheet](WebSocket_Security_Cheat_Sheet.md) -**Risk**: Poorly implemented authentication allows attackers to compromise authentication tokens or exploit implementation flaws. +**Basic API Vulnerabilities:** See [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) for foundational API security guidance -**Prevention**: +## Enterprise Security Patterns -- Use established authentication standards (OAuth 2.0, OpenID Connect) -- Implement proper session management -- Use strong password policies and multi-factor authentication -- Secure credential storage and transmission -- Implement account lockout mechanisms +### Multi-Tenant Isolation -**Key Controls**: +**Challenge:** Serving multiple customers from shared infrastructure while preventing data leakage -- Always use HTTPS for authentication endpoints -- Implement proper token expiration and refresh mechanisms -- Use secure, random session identifiers -- Validate authentication tokens on every request +**Applies to:** All API types (REST, GraphQL, gRPC, WebSocket) -For more information, see [Authentication Cheat Sheet](Authentication_Cheat_Sheet.md) and [Session Management Cheat Sheet](Session_Management_Cheat_Sheet.md). +**Risk:** Data breaches, compliance violations, customer trust loss -### API3:2023 Broken Object Property Level Authorization +Implement strict tenant boundaries by validating access permissions and applying tenant-specific filters to all data operations. This ensures complete isolation between tenants at the application layer. -**Risk**: Lack of proper authorization validation for object properties leads to information disclosure or unauthorized modifications. - -**Prevention**: - -- Implement field-level authorization controls -- Use data transfer objects (DTOs) to control exposed properties -- Validate user permissions for each property access -- Implement consistent property-level security across endpoints - -```java -// Secure property filtering based on user role -public UserDTO serializeUser(User user, String userRole) { - UserDTO dto = new UserDTO(user.getId(), user.getName(), user.getEmail()); +```javascript +// Universal tenant isolation middleware +class TenantIsolationManager { + constructor(userService, auditLogger) { + this.userService = userService; + this.auditLogger = auditLogger; + } - if ("admin".equals(userRole)) { - dto.setSsn(user.getSsn()); - dto.setSalary(user.getSalary()); + isolateTenant(request, tenantId) { + // Input validation + if (!tenantId || typeof tenantId !== 'string') { + throw new InvalidTenantIdError('Tenant ID must be a valid string'); + } + + if (!this.validateTenantAccess(request.user, tenantId)) { + this.auditLogger.logUnauthorizedAccess(request.user.id, tenantId); + throw new UnauthorizedTenantAccessError('Access denied for tenant'); + } + + return { + dataScope: `tenant_${this.sanitizeTenantId(tenantId)}.*`, + queryFilter: { tenant_id: tenantId }, + rateLimitKey: `rate:${tenantId}:${request.user.id}` + }; + } + + sanitizeTenantId(tenantId) { + return tenantId.replace(/[^a-zA-Z0-9_-]/g, ''); + } + + validateTenantAccess(user, tenantId) { + return user.tenants && user.tenants.includes(tenantId); } - return dto; } -``` - -### API4:2023 Unrestricted Resource Consumption - -**Risk**: APIs without proper resource limits can be overwhelmed, leading to denial of service. -**Prevention**: - -- Implement rate limiting per user/IP/API key -- Set maximum request size limits -- Implement timeout controls -- Use pagination for large data sets -- Monitor and alert on unusual resource consumption - -**Implementation Examples**: +// Custom error classes +class InvalidTenantIdError extends Error { + constructor(message) { + super(message); + this.name = 'InvalidTenantIdError'; + } +} -```yaml -# Rate limiting configuration -rate_limits: - per_user: 1000/hour - per_ip: 100/minute - per_endpoint: 10/second - -resource_limits: - max_request_size: 10MB - max_response_size: 50MB - request_timeout: 30s +class UnauthorizedTenantAccessError extends Error { + constructor(message) { + super(message); + this.name = 'UnauthorizedTenantAccessError'; + } +} ``` -### API5:2023 Broken Function Level Authorization +### Cross-Organization Federation + +**Challenge:** Secure API communication between different organizations -**Risk**: Complex access control policies with different hierarchies and groups can lead to authorization flaws. +**Applies to:** B2B integrations, supply chain APIs, partner ecosystems -**Prevention**: +**Risk:** Unauthorized access, policy conflicts, trust violations -- Implement role-based access control (RBAC) -- Use principle of least privilege -- Regularly audit and test authorization logic -- Implement consistent authorization checks across all functions +Establish mutual trust through certificate exchange and OAuth2 token validation, with dynamic trust scoring based on partner behavior. Trust levels determine access permissions and are continuously evaluated. ```java -// Secure function-level authorization -@PreAuthorize("hasRole('ADMIN') or (hasRole('USER') and #userId == authentication.principal.id)") -public User updateUser(@PathVariable Long userId, @RequestBody User user) { - return userService.updateUser(userId, user); +// Federation security with trust scoring +@Service +@Transactional +public class FederationSecurityManager { + + private final Map trustStore = new ConcurrentHashMap<>(); + private final CertificateService certificateService; + private final AuditLogger auditLogger; + + public FederationSecurityManager(CertificateService certificateService, AuditLogger auditLogger) { + this.certificateService = certificateService; + this.auditLogger = auditLogger; + } + + public TrustConfig establishTrust(PartnerOrg partnerOrg) { + // Validate input + if (partnerOrg == null || StringUtils.isBlank(partnerOrg.getId())) { + throw new InvalidPartnerException("Partner organization must have valid ID"); + } + + try { + TrustConfig config = TrustConfig.builder() + .mutualTLS(certificateService.exchangeCertificates(partnerOrg)) + .tokenExchange(setupOAuth2Exchange(partnerOrg)) + .trustScore(calculateInitialTrust(partnerOrg)) + .establishedAt(Instant.now()) + .expiresAt(Instant.now().plus(30, ChronoUnit.DAYS)) + .build(); + + trustStore.put(partnerOrg.getId(), config); + auditLogger.logTrustEstablished(partnerOrg.getId()); + return config; + } catch (Exception e) { + auditLogger.logTrustFailure(partnerOrg.getId(), e.getMessage()); + throw new TrustEstablishmentException("Failed to establish trust", e); + } + } + + public AccessDecision enforceAccess(HttpServletRequest request, PartnerContext context) { + TrustConfig config = trustStore.get(context.getPartnerId()); + if (config == null || config.getExpiresAt().isBefore(Instant.now())) { + throw new ExpiredTrustException("Trust configuration expired or not found"); + } + + double currentTrust = evaluateTrust(context); + double requiredTrust = getRequiredTrustLevel(request.getRequestURI()); + + if (currentTrust < requiredTrust) { + auditLogger.logInsufficientTrust(context.getPartnerId(), currentTrust, requiredTrust); + throw new InsufficientTrustException( + String.format("Trust level %.2f below required %.2f", currentTrust, requiredTrust) + ); + } + + return grantAccess(request, context); + } + + private double calculateInitialTrust(PartnerOrg partnerOrg) { + // Base trust calculation + double baseTrust = 0.5; + if (partnerOrg.hasValidCertificate()) baseTrust += 0.2; + if (partnerOrg.hasSecurityAudit()) baseTrust += 0.2; + if (partnerOrg.hasComplianceCertification()) baseTrust += 0.1; + return Math.min(baseTrust, 1.0); + } + + private double evaluateTrust(PartnerContext context) { + TrustConfig config = trustStore.get(context.getPartnerId()); + double currentTrust = config.getTrustScore(); + + // Adjust based on recent behavior + if (context.hasRecentFailures()) currentTrust -= 0.1; + if (context.hasExcessiveRequests()) currentTrust -= 0.05; + + return Math.max(currentTrust, 0.0); + } + + private double getRequiredTrustLevel(String uri) { + if (uri.contains("/admin/")) return 0.9; + if (uri.contains("/sensitive/")) return 0.7; + return 0.5; + } + + private AccessDecision grantAccess(HttpServletRequest request, PartnerContext context) { + return AccessDecision.builder() + .allowed(true) + .partnerId(context.getPartnerId()) + .timestamp(Instant.now()) + .build(); + } } ``` -For more information, see [Authorization Cheat Sheet](Authorization_Cheat_Sheet.md). - -### API6:2023 Unrestricted Access to Sensitive Business Flows - -**Risk**: Lack of understanding of business flows can lead to abuse of legitimate functionality. - -**Prevention**: - -- Identify and protect sensitive business flows -- Implement business logic validation -- Use CAPTCHA or similar mechanisms for sensitive operations -- Monitor for unusual patterns in business flow usage -- Implement transaction limits and approval workflows - -For more information on preventing abuse, see [Denial of Service Cheat Sheet](Denial_of_Service_Cheat_Sheet.md). +### Centralized Gateway Security -### API7:2023 Server Side Request Forgery (SSRF) +**Challenge:** Unified security enforcement across multiple backend services -**Risk**: APIs that fetch remote resources without validating user-supplied URLs can be exploited to access internal systems. +**Applies to:** Microservices, distributed architectures, hybrid environments -**Prevention**: +**Risk:** Inconsistent security, policy gaps, single point of failure -- Validate and sanitize all user-supplied URLs -- Use allowlists for permitted domains/IPs -- Implement network segmentation -- Disable unused URL schemas (file://, gopher://, etc.) -- Use dedicated services for external requests +Consolidate authentication, authorization, and rate limiting at the gateway layer to ensure consistent security policies across all backend services. Include circuit breaker patterns for resilience. ```javascript -// Secure URL validation -function isSafeUrl(url) { - const parsed = new URL(url); +// API Gateway security middleware +class APIGatewaySecurity { + constructor(authService, rateLimitService, auditLogger) { + this.authService = authService; + this.rateLimitService = rateLimitService; + this.auditLogger = auditLogger; + this.circuitBreakers = new Map(); + } - // Only allow HTTP/HTTPS - if (!['http:', 'https:'].includes(parsed.protocol)) { - return false; + async enforcePolicy(request, serviceConfig) { + // Validate service configuration + if (!serviceConfig?.name || !Array.isArray(serviceConfig.requiredPermissions)) { + throw new InvalidServiceConfigError('Service configuration must have name and permissions'); + } + + try { + // Authentication + const user = await this.authService.authenticateRequest(request); + if (!user) { + this.auditLogger.logAuthenticationFailure(request.ip, serviceConfig.name); + throw new AuthenticationError('Authentication failed'); + } + + // Authorization + if (!this.isAuthorized(user, serviceConfig.requiredPermissions)) { + this.auditLogger.logAuthorizationFailure(user.id, serviceConfig.name); + throw new UnauthorizedError('Insufficient permissions'); + } + + // Rate limiting + const rateLimitKey = `${serviceConfig.name}:${user.id}`; + if (!await this.rateLimitService.checkLimit(rateLimitKey, serviceConfig.rateLimit)) { + this.auditLogger.logRateLimitExceeded(user.id, serviceConfig.name); + throw new RateLimitExceededError('Rate limit exceeded'); + } + + // Circuit breaker check + const circuitBreaker = this.getCircuitBreaker(serviceConfig.name); + if (circuitBreaker.isOpen()) { + throw new ServiceUnavailableError('Service temporarily unavailable'); + } + + return this.transformRequest(request, serviceConfig.transformRules); + } catch (error) { + this.auditLogger.logPolicyEnforcementError(serviceConfig.name, error.message); + throw error; + } } - // Check against allowlist - return ALLOWED_DOMAINS.includes(parsed.hostname); + getCircuitBreaker(serviceName) { + if (!this.circuitBreakers.has(serviceName)) { + this.circuitBreakers.set(serviceName, new CircuitBreaker({ + failureThreshold: 5, + recoveryTimeout: 30000 + })); + } + return this.circuitBreakers.get(serviceName); + } + + isAuthorized(user, requiredPermissions) { + return requiredPermissions.every(permission => + user.permissions && user.permissions.includes(permission) + ); + } + + transformRequest(request, transformRules) { + if (!transformRules) return request; + + const transformed = { ...request }; + transformRules.forEach(rule => { + if (rule.type === 'header' && rule.action === 'add') { + transformed.headers[rule.key] = rule.value; + } + }); + return transformed; + } } -``` - -For more information, see [Server Side Request Forgery Prevention Cheat Sheet](Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md). -### API8:2023 Security Misconfiguration - -**Risk**: Insecure default configurations, incomplete configurations, or misconfigured HTTP headers. - -**Prevention**: - -- Use security-focused configuration templates -- Regularly update and patch all components -- Implement proper error handling without information disclosure -- Configure security headers appropriately -- Disable unnecessary features and endpoints - -**Security Headers for APIs**: - -```http -Strict-Transport-Security: max-age=31536000; includeSubDomains -X-Content-Type-Options: nosniff -X-Frame-Options: DENY -Content-Security-Policy: default-src 'none' -Cache-Control: no-store +// Circuit breaker implementation +class CircuitBreaker { + constructor(options) { + this.failureThreshold = options.failureThreshold || 5; + this.recoveryTimeout = options.recoveryTimeout || 30000; + this.failureCount = 0; + this.lastFailureTime = null; + this.state = 'CLOSED'; // CLOSED, OPEN, HALF_OPEN + } + + isOpen() { + if (this.state === 'OPEN') { + if (Date.now() - this.lastFailureTime > this.recoveryTimeout) { + this.state = 'HALF_OPEN'; + return false; + } + return true; + } + return false; + } +} ``` -For more information, see [HTTP Headers Cheat Sheet](HTTP_Headers_Cheat_Sheet.md). - -### API9:2023 Improper Inventory Management - -**Risk**: Outdated API versions, missing patches, or unprotected debug endpoints. - -**Prevention**: - -- Maintain comprehensive API inventory -- Implement proper API versioning strategy -- Regularly audit and decommission unused APIs -- Monitor all API endpoints and versions -- Implement consistent security controls across all API versions - -### API10:2023 Unsafe Consumption of APIs - -**Risk**: Trusting data received from third-party APIs without proper validation. - -**Prevention**: +### API Versioning Security -- Validate all data received from external APIs -- Implement proper error handling for third-party API failures -- Use secure communication channels (TLS) -- Implement timeout and retry mechanisms -- Monitor third-party API dependencies +**Challenge:** Maintaining security across multiple API versions -For more information on secure integrations, see [Third Party Javascript Management Cheat Sheet](Third_Party_Javascript_Management_Cheat_Sheet.md). +**Applies to:** Version migration, backward compatibility, deprecation management -## Core Security Controls +**Risk:** Version confusion attacks, deprecated endpoint exploitation, inconsistent security -### Transport Security +Implement version-aware security policies that enforce stricter controls on newer versions while maintaining backward compatibility. Include automatic security upgrades and deprecation warnings. -**Always Use HTTPS**: - -- Enforce TLS 1.2 or higher for all API communications -- Use strong cipher suites and disable weak protocols -- Implement HTTP Strict Transport Security (HSTS) -- Consider mutual TLS (mTLS) for service-to-service communication - -### Authentication and Authorization - -**Token-Based Authentication**: - -- Use industry-standard tokens (JWT, OAuth 2.0) -- Implement proper token validation and expiration -- Use secure token storage mechanisms -- Implement token refresh strategies - -For more information, see [JSON Web Token for Java Cheat Sheet](JSON_Web_Token_for_Java_Cheat_Sheet.md). - -**API Key Management**: - -- Generate cryptographically strong API keys -- Implement key rotation policies -- Monitor API key usage patterns -- Revoke compromised keys immediately - -For more information on key management, see [Key Management Cheat Sheet](Key_Management_Cheat_Sheet.md). - -### Input Validation and Data Security - -**Comprehensive Input Validation**: - -- Validate all input parameters (headers, query parameters, body) -- Use strong typing and schema validation -- Implement allowlist validation where possible -- Sanitize data before processing - -For more information on detailed validation techniques, see [Input Validation Cheat Sheet](Input_Validation_Cheat_Sheet.md). - -**Output Encoding**: - -- Encode output data appropriately for the context -- Prevent injection attacks through proper encoding -- Use content-type headers correctly +```java +// Version-aware security enforcement +@Component +public class APIVersionSecurity { + + private final Map versionPolicies = new HashMap<>(); + + @PostConstruct + public void initializePolicies() { + // v1.0 - Legacy, minimal security + versionPolicies.put("v1.0", VersionSecurityPolicy.builder() + .authRequired(false) + .rateLimitMultiplier(0.5) // Reduced limits for old versions + .deprecationWarning(true) + .build()); + + // v2.0 - Enhanced security + versionPolicies.put("v2.0", VersionSecurityPolicy.builder() + .authRequired(true) + .rateLimitMultiplier(1.0) + .requireMFA(false) + .build()); + + // v3.0 - Maximum security + versionPolicies.put("v3.0", VersionSecurityPolicy.builder() + .authRequired(true) + .rateLimitMultiplier(1.5) // Higher limits for new versions + .requireMFA(true) + .encryptionRequired(true) + .build()); + } + + public SecurityContext enforceVersionSecurity(String version, HttpServletRequest request) { + VersionSecurityPolicy policy = versionPolicies.get(version); + if (policy == null) { + throw new UnsupportedVersionException("API version not supported: " + version); + } + + SecurityContext context = new SecurityContext(); + + // Version-specific authentication + if (policy.isAuthRequired()) { + context.setUser(authenticateRequest(request, policy)); + } + + // Deprecation handling + if (policy.hasDeprecationWarning()) { + context.addWarning("API version " + version + " is deprecated. Migrate to v3.0"); + } + + // Rate limit adjustment + context.setRateLimitMultiplier(policy.getRateLimitMultiplier()); + + return context; + } +} +``` -For more information on injection prevention techniques, see [Injection Prevention Cheat Sheet](Injection_Prevention_Cheat_Sheet.md), [SQL Injection Prevention Cheat Sheet](SQL_Injection_Prevention_Cheat_Sheet.md), and [OS Command Injection Defense Cheat Sheet](OS_Command_Injection_Defense_Cheat_Sheet.md). +## Universal Security Controls -### Error Handling and Logging +### Cross-Protocol Rate Limiting -**Secure Error Responses**: +**Challenge:** Consistent rate limiting across different API technologies -- Return generic error messages to clients -- Log detailed errors server-side for debugging -- Use appropriate HTTP status codes -- Avoid exposing system internals in error messages +**Applies to:** Mixed API environments, unified user quotas -**Security Logging**: +**Risk:** API abuse, resource exhaustion, unfair usage -- Log all authentication and authorization events -- Monitor for suspicious patterns and anomalies -- Implement centralized logging for distributed systems -- Ensure logs don't contain sensitive data +Use distributed rate limiting with Redis to maintain consistent quotas across all API protocols and instances. Implement sliding window algorithms for accurate rate calculations. -For more information, see [Logging Cheat Sheet](Logging_Cheat_Sheet.md) and [Error Handling Cheat Sheet](Error_Handling_Cheat_Sheet.md). +```java +// Universal rate limiting with Redis +@Service +public class UniversalRateLimit { + + @Autowired + private RedisTemplate redisTemplate; + + public boolean checkLimit(String identifier, RateLimitConfig config) { + String key = "rate_limit:" + identifier; + String script = + "local current = redis.call('incr', KEYS[1]) " + + "if current == 1 then " + + " redis.call('expire', KEYS[1], ARGV[1]) " + + "end " + + "return current <= tonumber(ARGV[2])"; + + Boolean allowed = redisTemplate.execute( + RedisScript.of(script, Boolean.class), + Collections.singletonList(key), + String.valueOf(config.getWindow()), + String.valueOf(config.getLimit()) + ); + + if (!allowed) { + throw new RateLimitExceededException(); + } + return true; + } +} +``` -## API Gateway Security +### Technology-Agnostic Authentication -### Centralized Security Controls +**Challenge:** Unified authentication across different API protocols -API gateways provide a centralized point for implementing security controls: +**Applies to:** Multi-protocol environments, SSO requirements -- **Authentication and Authorization**: Centralized token validation -- **Rate Limiting**: Consistent rate limiting across all APIs -- **Request/Response Filtering**: Content validation and sanitization -- **Monitoring and Analytics**: Centralized logging and monitoring +**Risk:** Authentication bypass, token confusion, protocol-specific vulnerabilities -### Gateway Configuration Best Practices +Create protocol-aware authentication handlers that can process different authentication methods while maintaining consistent JWT validation and claims processing across all API types. -```yaml -# Example API Gateway Security Configuration -security: - authentication: - - jwt_validation - - api_key_validation - - rate_limiting: - default: 1000/hour - premium: 10000/hour - - request_filtering: - max_size: 10MB - content_types: ['application/json', 'application/xml'] - - response_filtering: - remove_headers: ['Server', 'X-Powered-By'] - add_headers: - 'X-Content-Type-Options': 'nosniff' - 'X-Frame-Options': 'DENY' +```javascript +// Multi-protocol authentication handler +class UniversalAuth { + async authenticate(request, protocol) { + const handlers = { + 'http': this.handleHTTPAuth, + 'websocket': this.handleWebSocketAuth, + 'webhook': this.handleWebhookAuth, + 'grpc': this.handleGRPCAuth + }; + + const handler = handlers[protocol]; + if (!handler) { + throw new UnsupportedProtocolError(protocol); + } + + return await handler.call(this, request); + } + + // JWT validation for all protocols + async validateJWT(token) { + try { + const decoded = jwt.verify(token, this.getPublicKey()); + + // Universal claims validation + this.validateClaims(decoded); + + return { + userId: decoded.sub, + permissions: decoded.permissions || [], + tenantId: decoded.tenant, + expiresAt: decoded.exp + }; + } catch (error) { + throw new InvalidTokenError(error.message); + } + } +} ``` -## Microservices API Security - -### Service-to-Service Communication - -- Implement mutual TLS (mTLS) for service authentication -- Use service mesh for consistent security policies -- Implement circuit breakers for resilience -- Use secure service discovery mechanisms - -For comprehensive microservices security guidance, see [Microservices Security Cheat Sheet](Microservices_Security_Cheat_Sheet.md). +## Security Operations -### Zero Trust Architecture +### Cross-Protocol Security Testing -- Verify every request regardless of source -- Implement least privilege access controls -- Use identity-based security policies -- Monitor all service communications +**Challenge:** Consistent security validation across different API types -For more information on zero trust architecture, see [Zero Trust Architecture Cheat Sheet](Zero_Trust_Architecture_Cheat_Sheet.md). +**Applies to:** CI/CD pipelines, security regression testing -## API Versioning Security +**Risk:** Protocol-specific vulnerabilities, inconsistent security posture -### Version Management +Create unified test suites that validate security controls across all API protocols using protocol-specific adapters. This ensures consistent security validation regardless of the underlying API technology. -- Maintain security parity across API versions -- Implement deprecation policies for old versions -- Use semantic versioning for clear communication -- Document security changes between versions - -For more information on secure development practices, see [Secure Code Review Cheat Sheet](Secure_Code_Review_Cheat_Sheet.md). - -### Backward Compatibility +```javascript +// Multi-protocol security testing +class UniversalAPITester { + async testAPI(endpoint, protocol, config) { + const tests = { + authentication: () => this.testAuth(endpoint, protocol), + authorization: () => this.testAuthz(endpoint, protocol), + injection: () => this.testInjection(endpoint, protocol), + rateLimiting: () => this.testRateLimit(endpoint, protocol), + dataExposure: () => this.testDataLeakage(endpoint, protocol) + }; + + const results = {}; + for (const [testName, testFunc] of Object.entries(tests)) { + try { + results[testName] = await testFunc(); + } catch (error) { + results[testName] = { status: 'failed', error: error.message }; + } + } + + return this.generateReport(results); + } + + // Protocol-specific test adapters + async testAuth(endpoint, protocol) { + const adapters = { + 'rest': this.testRESTAuth, + 'graphql': this.testGraphQLAuth, + 'websocket': this.testWebSocketAuth, + 'webhook': this.testWebhookAuth + }; + + return await adapters[protocol](endpoint); + } + + async testRESTAuth(endpoint) { + const tests = [ + { name: 'no_token', headers: {}, expectedStatus: 401 }, + { name: 'invalid_token', headers: { 'Authorization': 'Bearer invalid' }, expectedStatus: 401 }, + { name: 'expired_token', headers: { 'Authorization': 'Bearer ' + this.getExpiredToken() }, expectedStatus: 401 } + ]; + + const results = []; + for (const test of tests) { + const response = await fetch(endpoint, { headers: test.headers }); + results.push({ + test: test.name, + passed: response.status === test.expectedStatus + }); + } + return results; + } + + generateReport(results) { + const totalTests = Object.keys(results).length; + const passedTests = Object.values(results).filter(r => r.status !== 'failed').length; + + return { + summary: `${passedTests}/${totalTests} tests passed`, + details: results, + securityScore: (passedTests / totalTests) * 100 + }; + } +} +``` -- Ensure security controls are not weakened in new versions -- Migrate users from deprecated versions securely -- Maintain security patches for supported versions +### Automated Threat Orchestration -## Testing and Validation +**Challenge:** Coordinated threat response across multiple API technologies -### Security Testing +**Applies to:** Enterprise environments, real-time threat response -**Automated Security Testing**: +**Risk:** Slow manual response, inconsistent threat handling, attack propagation -- Integrate security tests into CI/CD pipelines -- Use SAST/DAST tools for API security scanning -- Implement contract testing for API specifications -- Perform regular penetration testing +Implement intelligent threat analysis and automated response coordination across all API types. The system adapts security posture based on threat intelligence and coordinates responses to prevent attack propagation. -For more information on testing approaches, see [Attack Surface Analysis Cheat Sheet](Attack_Surface_Analysis_Cheat_Sheet.md). +```javascript +// Cross-API threat response orchestrator +class APIThreatOrchestrator { + constructor() { + this.responseStrategies = new Map(); + this.threatIntelligence = new ThreatIntelligenceEngine(); + } -**Manual Security Testing**: + async orchestrateResponse(threatEvent) { + const threatContext = await this.analyzeThreat(threatEvent); + const affectedAPIs = this.identifyAffectedAPIs(threatContext); -- Test authentication and authorization boundaries -- Validate input handling and error responses -- Test business logic and workflow security -- Verify security controls under load + // Coordinate response across multiple API types + const responses = await Promise.all( + affectedAPIs.map(api => this.executeResponse(api, threatContext)) + ); -### API Documentation Security + return this.consolidateResponses(responses); + } -- Keep API documentation up-to-date with security requirements -- Document authentication and authorization requirements -- Provide security examples and best practices -- Restrict access to internal API documentation + async executeResponse(api, threatContext) { + const strategy = this.getResponseStrategy(api.type, threatContext.severity); -## Monitoring and Incident Response + return { + apiId: api.id, + actions: await strategy.execute(api, threatContext), + timestamp: Date.now() + }; + } -### Security Monitoring + // Adaptive security posture adjustment + async adaptSecurityPosture(threatLandscape) { + const adjustments = { + rateLimits: this.calculateRateLimitAdjustments(threatLandscape), + authStrength: this.adjustAuthRequirements(threatLandscape), + monitoring: this.enhanceMonitoring(threatLandscape) + }; -**Key Metrics to Monitor**: + return this.applyGlobalAdjustments(adjustments); + } + + async analyzeThreat(threatEvent) { + return { + severity: this.calculateSeverity(threatEvent), + type: threatEvent.type, + source: threatEvent.source, + affectedProtocols: this.identifyAffectedProtocols(threatEvent) + }; + } + + identifyAffectedAPIs(threatContext) { + // Return APIs that match threat characteristics + return this.apiRegistry.filter(api => + threatContext.affectedProtocols.includes(api.protocol) + ); + } + + getResponseStrategy(apiType, severity) { + const strategies = { + 'high': new ImmediateBlockStrategy(), + 'medium': new ThrottleStrategy(), + 'low': new MonitorStrategy() + }; + return strategies[severity] || strategies['low']; + } + + consolidateResponses(responses) { + return { + totalAPIs: responses.length, + actionsExecuted: responses.reduce((sum, r) => sum + r.actions.length, 0), + timestamp: Date.now() + }; + } +} +``` -- Authentication failure rates -- Authorization violations -- Rate limit violations -- Unusual traffic patterns -- Error rates and types +## Performance Considerations -**Alerting and Response**: +### Security Control Performance Impact -- Implement real-time security alerting -- Define incident response procedures -- Maintain security playbooks for common scenarios -- Regular security incident drills +**Authentication Overhead:** -### Threat Intelligence +- JWT validation: ~1-2ms per request +- Database user lookup: ~5-10ms per request +- **Optimization:** Use Redis caching for user data (reduces to ~0.5ms) -- Monitor for API-specific threats and vulnerabilities -- Subscribe to security advisories for used technologies -- Participate in threat intelligence sharing -- Regular security assessments and audits +**Rate Limiting Performance:** -## Compliance and Governance +- In-memory rate limiting: ~0.1ms per request +- Redis-based rate limiting: ~1-3ms per request +- **Optimization:** Use local caching with Redis sync for high-traffic APIs -### Regulatory Compliance +**Encryption Impact:** -- Understand applicable regulations (GDPR, CCPA, PCI-DSS) -- Implement data protection controls -- Maintain audit trails for compliance -- Regular compliance assessments +- TLS handshake: ~50-100ms (one-time per connection) +- Request/response encryption: ~1-5ms per request +- **Optimization:** Use connection pooling and HTTP/2 multiplexing -For more information on privacy protection, see [User Privacy Protection Cheat Sheet](User_Privacy_Protection_Cheat_Sheet.md). +```javascript +// Performance-optimized security middleware +class OptimizedSecurityMiddleware { + constructor() { + this.userCache = new LRUCache({ max: 10000, ttl: 300000 }); // 5min TTL + this.rateLimitCache = new Map(); + } + + async authenticate(token) { + // Check cache first (0.1ms vs 10ms DB lookup) + const cached = this.userCache.get(token); + if (cached && cached.expiresAt > Date.now()) { + return cached.user; + } + + // Fallback to database + const user = await this.userService.validateToken(token); + this.userCache.set(token, { user, expiresAt: Date.now() + 300000 }); + return user; + } + + // Batch rate limit checks for better performance + async checkRateLimits(requests) { + const pipeline = this.redis.pipeline(); + requests.forEach(req => { + pipeline.incr(`rate:${req.userId}:${req.endpoint}`); + }); + + const results = await pipeline.exec(); + return results.map((result, index) => ({ + allowed: result[1] <= requests[index].limit, + current: result[1] + })); + } +} +``` -### API Governance +**Performance Monitoring:** -- Establish API security standards and guidelines -- Implement security review processes -- Maintain API security policies -- Regular security training for development teams +- Monitor security middleware latency +- Set SLA targets: <5ms for authentication, <2ms for authorization +- Use circuit breakers for external security services +- Implement graceful degradation for non-critical security checks ## References -- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) -- [OpenAPI Security Specification](https://swagger.io/specification/#security-scheme-object) -- [NIST SP 800-204 - Security Strategies for Microservices](https://csrc.nist.gov/publications/detail/sp/800-204/final) -- [REST Security Cheat Sheet](REST_Security_Cheat_Sheet.md) -- [GraphQL Cheat Sheet](GraphQL_Cheat_Sheet.md) -- [gRPC Security Cheat Sheet](gRPC_Security_Cheat_Sheet.md) -- [Web Service Security Cheat Sheet](Web_Service_Security_Cheat_Sheet.md) -- [Authentication Cheat Sheet](Authentication_Cheat_Sheet.md) -- [Authorization Cheat Sheet](Authorization_Cheat_Sheet.md) +### OWASP Resources + +- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) - Core API vulnerabilities +- [REST Security Cheat Sheet](REST_Security_Cheat_Sheet.md) - REST-specific security patterns +- [GraphQL Cheat Sheet](GraphQL_Cheat_Sheet.md) - GraphQL security guidance +- [WebSocket Security Cheat Sheet](WebSocket_Security_Cheat_Sheet.md) - WebSocket security patterns +- [Authentication Cheat Sheet](Authentication_Cheat_Sheet.md) - Authentication best practices +- [Authorization Cheat Sheet](Authorization_Cheat_Sheet.md) - Authorization patterns + +### Standards and Specifications + +- [NIST SP 800-204 - Security Strategies for Microservices](https://csrc.nist.gov/pubs/sp/800/204/final) +- [NIST SP 800-207 - Zero Trust Architecture](https://csrc.nist.gov/pubs/sp/800/207/final) +- [ISO/IEC 27001:2022 - Information Security Management](https://www.iso.org/standard/27001) +- [RFC 6749 - OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749) +- [RFC 8725 - JSON Web Token Best Current Practices](https://datatracker.ietf.org/doc/html/rfc8725) +- [RFC 7519 - JSON Web Token (JWT)](https://datatracker.ietf.org/doc/html/rfc7519) +- [OpenAPI Security Specification v3.1.0](https://spec.openapis.org/oas/v3.1.0#security-scheme-object) +- [NIST Cybersecurity Framework v1.1](https://www.nist.gov/cyberframework) +- [ISO/IEC 27034 - Application Security](https://www.iso.org/standard/44378.html)