API Security Checker

Audit API security and identify vulnerabilities based on OWASP Top 10.

Quick Start

Check authentication, validate inputs, prevent SQL injection, implement rate limiting, use HTTPS.

Instructions

OWASP Top 10 for APIs

1. Broken Object Level Authorization:

// Bad: No authorization check app.get('/api/users/:id', (req, res) => { const user = await User.findById(req.params.id); res.json(user); });

// Good: Check ownership app.get('/api/users/:id', auth, async (req, res) => { if (req.user.id !== req.params.id && !req.user.isAdmin) { return res.status(403).json({ error: 'Forbidden' }); } const user = await User.findById(req.params.id); res.json(user); });

2. Broken Authentication:

// Bad: Weak password requirements const isValidPassword = (password) => password.length >= 6;

// Good: Strong requirements const isValidPassword = (password) => { return password.length >= 12 && /[A-Z]/.test(password) && /[a-z]/.test(password) && /[0-9]/.test(password) && /[^A-Za-z0-9]/.test(password); };

// Implement rate limiting const loginLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 5, // 5 attempts message: 'Too many login attempts' });

app.post('/api/login', loginLimiter, loginHandler);

3. Excessive Data Exposure:

// Bad: Exposing sensitive data app.get('/api/users/:id', async (req, res) => { const user = await User.findById(req.params.id); res.json(user); // Includes password hash, email, etc. });

// Good: Return only necessary fields app.get('/api/users/:id', async (req, res) => { const user = await User.findById(req.params.id) .select('id username avatar'); res.json(user); });

4. Lack of Resources & Rate Limiting:

const rateLimit = require('express-rate-limit');

const apiLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // 100 requests per window standardHeaders: true, legacyHeaders: false, });

app.use('/api/', apiLimiter);

5. Broken Function Level Authorization:

// Bad: No role check app.delete('/api/users/:id', auth, deleteUser);

// Good: Check admin role app.delete('/api/users/:id', auth, requireAdmin, deleteUser);

function requireAdmin(req, res, next) { if (!req.user.isAdmin) { return res.status(403).json({ error: 'Admin access required' }); } next(); }

6. Mass Assignment:

// Bad: Accepting all fields app.put('/api/users/:id', async (req, res) => { await User.update(req.params.id, req.body); // Can set isAdmin! });

// Good: Whitelist fields app.put('/api/users/:id', async (req, res) => { const { name, email, avatar } = req.body; await User.update(req.params.id, { name, email, avatar }); });

7. Security Misconfiguration:

// Set security headers const helmet = require('helmet'); app.use(helmet());

// Disable X-Powered-By app.disable('x-powered-by');

// CORS configuration const cors = require('cors'); app.use(cors({ origin: process.env.ALLOWED_ORIGINS.split(','), credentials: true }));

8. Injection:

// Bad: SQL injection vulnerable const query = SELECT * FROM users WHERE email = '${email}';

// Good: Parameterized query const query = 'SELECT * FROM users WHERE email = $1'; const result = await db.query(query, [email]);

// Input validation const { body, validationResult } = require('express-validator');

app.post('/api/users', body('email').isEmail().normalizeEmail(), body('name').trim().escape(), async (req, res) => { const errors = validationResult(req); if (!errors.isEmpty()) { return res.status(400).json({ errors: errors.array() }); } // Process request } );

9. Improper Assets Management:

// Document API versions // Deprecate old versions // Remove unused endpoints

// Version API app.use('/api/v1', v1Routes); app.use('/api/v2', v2Routes);

// Deprecation header app.use('/api/v1', (req, res, next) => { res.set('Deprecation', 'true'); res.set('Sunset', 'Sat, 31 Dec 2024 23:59:59 GMT'); next(); });

10. Insufficient Logging & Monitoring:

const winston = require('winston');

const logger = winston.createLogger({ level: 'info', format: winston.format.json(), transports: [ new winston.transports.File({ filename: 'error.log', level: 'error' }), new winston.transports.File({ filename: 'combined.log' }) ] });

// Log security events app.post('/api/login', async (req, res) => { try { const user = await authenticate(req.body); logger.info('Login successful', { userId: user.id, ip: req.ip }); res.json({ token: generateToken(user) }); } catch (error) { logger.warn('Login failed', { email: req.body.email, ip: req.ip }); res.status(401).json({ error: 'Invalid credentials' }); } });

Authentication Security

JWT best practices:

const jwt = require('jsonwebtoken');

// Generate token const generateToken = (user) => { return jwt.sign( { id: user.id, email: user.email }, process.env.JWT_SECRET, { expiresIn: '15m' } // Short expiry ); };

// Generate refresh token const generateRefreshToken = (user) => { return jwt.sign( { id: user.id }, process.env.REFRESH_SECRET, { expiresIn: '7d' } ); };

// Verify token const verifyToken = (req, res, next) => { const token = req.headers.authorization?.split(' ')[1];

if (!token) { return res.status(401).json({ error: 'No token provided' }); }

try { const decoded = jwt.verify(token, process.env.JWT_SECRET); req.user = decoded; next(); } catch (error) { return res.status(401).json({ error: 'Invalid token' }); } };

Password hashing:

const bcrypt = require('bcrypt');

// Hash password const hashPassword = async (password) => { const salt = await bcrypt.genSalt(12); return bcrypt.hash(password, salt); };

// Verify password const verifyPassword = async (password, hash) => { return bcrypt.compare(password, hash); };

Input Validation

Sanitize inputs:

const validator = require('validator');

// Email validation if (!validator.isEmail(email)) { return res.status(400).json({ error: 'Invalid email' }); }

// URL validation if (!validator.isURL(url)) { return res.status(400).json({ error: 'Invalid URL' }); }

// Escape HTML const sanitized = validator.escape(userInput);

Schema validation:

const Joi = require('joi');

const userSchema = Joi.object({ email: Joi.string().email().required(), password: Joi.string().min(12).required(), name: Joi.string().min(2).max(50).required() });

app.post('/api/users', async (req, res) => { const { error, value } = userSchema.validate(req.body); if (error) { return res.status(400).json({ error: error.details[0].message }); } // Process validated data });

Authorization

Role-Based Access Control (RBAC):

const roles = { user: ['read:own'], admin: ['read:any', 'write:any', 'delete:any'] };

const checkPermission = (permission) => { return (req, res, next) => { const userPermissions = roles[req.user.role] || []; if (!userPermissions.includes(permission)) { return res.status(403).json({ error: 'Insufficient permissions' }); } next(); }; };

app.delete('/api/users/:id', auth, checkPermission('delete:any'), deleteUser );

HTTPS and Transport Security

Force HTTPS:

app.use((req, res, next) => { if (req.header('x-forwarded-proto') !== 'https' && process.env.NODE_ENV === 'production') { res.redirect(https://${req.header('host')}${req.url}); } else { next(); } });

Security headers:

app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], scriptSrc: ["'self'"], imgSrc: ["'self'", 'data:', 'https:'] } }, hsts: { maxAge: 31536000, includeSubDomains: true, preload: true } }));

CORS Configuration

const corsOptions = { origin: (origin, callback) => { const allowedOrigins = process.env.ALLOWED_ORIGINS.split(','); if (!origin || allowedOrigins.includes(origin)) { callback(null, true); } else { callback(new Error('Not allowed by CORS')); } }, credentials: true, optionsSuccessStatus: 200 };

app.use(cors(corsOptions));

API Key Security

const apiKeyAuth = (req, res, next) => { const apiKey = req.header('X-API-Key');

if (!apiKey) { return res.status(401).json({ error: 'API key required' }); }

// Verify API key (use hashed comparison) const isValid = await verifyApiKey(apiKey); if (!isValid) { return res.status(401).json({ error: 'Invalid API key' }); }

next(); };

Security Checklist

Authentication:

• Strong password requirements

• Password hashing (bcrypt, argon2)

• JWT with short expiry

• Refresh token mechanism

• Rate limiting on auth endpoints

• MFA for sensitive operations

Authorization:

• Check user permissions

• Validate resource ownership

• Implement RBAC or ABAC

• Principle of least privilege

Input Validation:

• Validate all inputs

• Sanitize user data

• Use parameterized queries

• Whitelist allowed fields

• Validate file uploads

Transport Security:

• HTTPS only

• Security headers (Helmet)

• CORS configured properly

• HSTS enabled

API Security:

• Rate limiting

• API versioning

• Error handling (no stack traces)

• Logging security events

• API documentation

Data Protection:

• Encrypt sensitive data

• Secure session storage

• No secrets in code

• Environment variables

• Regular security audits

Best Practices

Defense in depth:

• Multiple security layers

• Fail securely

• Least privilege

• Regular updates

Secure defaults:

• HTTPS required

• Strong authentication

• Input validation

• Rate limiting enabled

Monitoring:

• Log security events

• Monitor for anomalies

• Alert on suspicious activity

• Regular security audits