Are You Monitoring Your API Security?

by Marcelo Graciolli licensed under CC BY 2.0

There are many ways to monitor API security on the web. Some APIs might have no security – you can make a simple HTTP call and get an answer back – but if for whatever reason the data is protected or monitored, it’s normal to have some form of API security.

This typically takes one of two major formats – an API key, or OAuth authentication.

Things get very interesting with OAuth. With OAuth 2, you can set up a scope to allow access to only certain API resources.

So imagine you’re a car manufacturer and you have an app that can turn something on or off, or open a door. You can use a scope in the authentication settings to block access so an app would receive a HTTP 4XX response. In this scenario, a HTTP 200 code could mean something disastrous has happened.

Setting up this kind of monitoring is a snap with APImetrics. And it can provide you with ongoing assurance that your APIs are secure – and will remain secure.

There are two steps:

Step 1 – Set the Scope in the Authentication Manager

Create your OAuth 2 setup in the Authentication Manager. When you create the token, you have the option to set the scope for the token. Enter the scope terms, click create, validate, and then save the token for your API calls.

Step 2 – Set the Conditions for the API Call

In the call itself, set the security to use the correct API authentication and the token generated with the scope to be tested. Then create a call that should fail when using that authentication. Click on the conditions tab, in the first section where you validate the HTTP code. You can change the expected code for a pass condition to be met, like HTTP 403 == PASS. Then deploy the test as normal.

If the test returns a HTTP 200 code, you’ll be alerted to a problem with your API security.

In addition to testing authentication scopes, you can use this methodology to test against different geographies. Keep your API security up to date and running smooth – your bottom line will thank you.