BREAKING NEWS: BREAKING: APIContext Formed To Create Industry Solutions For API Oversight And IntegrityRead Now >

Are You Monitoring Your API Security?

Marcelo Graciolli licensed under CC BY 2.0

There are many ways to monitor API security on the web. Some APIs might have no security – you can make a simple HTTP call and get an answer back – but if for whatever reason the data is protected or monitored, it’s normal to have some form of API security.

This typically takes one of two major formats – an API key, or OAuth authentication.

Things get very interesting with OAuth. With OAuth 2, you can set up a scope to allow access to only certain API resources.

So imagine you’re a car manufacturer and you have an app that can turn something on or off, or open a door. You can use a scope in the authentication settings to block access so an app would receive a HTTP 4XX response. In this scenario, a HTTP 200 code could mean something disastrous has happened.

Setting up this kind of monitoring is a snap with APIContext. And it can provide you with ongoing assurance that your APIs are secure – and will remain secure.

There are two steps:

Step 1 – Set the Scope in the Authentication Manager

Create your OAuth 2 setup in the Authentication Manager. When you create the token, you have the option to set the scope for the token. Enter the scope terms, click create, validate, and then save the token for your API calls.

Step 2 – Set the Conditions for the API Call

In the call itself, set the security to use the correct API authentication and the token generated with the scope to be tested. Then create a call that should fail when using that authentication. Click on the conditions tab, in the first section where you validate the HTTP code. You can change the expected code for a pass condition to be met, like HTTP 403 == PASS. Then deploy the test as normal.

If the test returns a HTTP 200 code, you’ll be alerted to a problem with your API security.

In addition to testing authentication scopes, you can use this methodology to test against different geographies. Keep your API security up to date and running smooth – your bottom line will thank you.

Share

Request A Demo

Find A Slot To See A Demo Or Speak To One Of Our Support Specialists

Ready To Start Monitoring?

Want to learn more? Check out our technical knowledge base, or our sector by sector data, or even our starters guide to the API economy. So sign up immediately, without a credit card and be running your first API call in minutes.

Related Posts

Join Us Now!

Join the 100s of companies relying on APIContext.