APIs have arguably become the preferred method for building modern applications, especially for mobile and Internet of Things (IoT) devices. No matter how many APIs your organization chooses to share publicly, your ultimate goal should be to establish solid API security policies and manage them proactively overtime.
APIs are susceptible to many of the same kinds of attacks defenders have been fighting in their networks and web-based apps for years. None of the following attacks are newbut can easily be used against APIs.
Authorization code grant is the current recommendation for browser – based applications and as these applications are public clients, PKCE must be implemented.
PKCE introduces three new parameters to the authorization code grant flow, namely “code_verifier”, “code_challenge”and “code_challenge_method”. In the improved flow, before making the authorization redirect to the server, the application creates and stores as secret named “code_verifier”. Then it hashes “code_verifier” and gets the“code_challenge” from it . This “code_challenge” and code_challenge_methodarepassed along with other authorization request attributes to the authorization server.
After receiving the authorization code, the application includes the “code_verifier” attribute in the token request made to the authorization server. The authorization server will verify the“code_verifier” with previously stored “code_challenge” and“code_challenge_method” before issuing the access token.
An attacker who intercepts the authorization code is unable to redeem it for an access token, as they are not in possession of the“code_verifier” secret.
SPAs need to use the state parameter to protect themselves against cross site request forgery and authorization code swap attacks and must use a unique value for each authorization request.
Refresh tokens provide a way to get a new access token when the access token expires,without the involvement of the end user. For an SPA, this will help to improve the user experience by avoiding redirections when the access token expires.
In a web browser, there are multiple options to store tokens. You can store them in cookies, or you can store the min HTML5 storage. Or you can save them in browser memory.Cookies will be the least secure option among the three as it is vulnerable to both cross site scripting(XSS) attacks and cross site request forgery (CSRF) attacks. We have a browser memory option, which is a solution built using the web workers and it is considered the most secure option.
Conclusion: