API Security Terminology

API security is something that mystifies nearly everyone having to develop a backend. To ease some of that, here is a list of terms/terminology used when securing your api backend.

Terminology

• OAuth : OAUTH is a standardized ‘handshake’ between the client and server allowing for a TOKEN to be sent (see JWT) after authentication.

• JWT : JWT stands for ‘JSON Web Token’. It is a token sent to the client AFTER successful authentication (not authorization). One must send the JWT with a request to the backend server in order to authorize any request.

• CORS : CORS is a ‘whitelist’ of IP’s allowed to call your api backend from a UI/UX. This does NOTHING to block CLI calls (see CURL) but is only used to curb others from building UI/UX’s that use your backend.

• session cookie : The session is a set of data that exists on the server but is coordinated with the client side using a ‘session cookie’. This helps to make sure your browsing session is not hijacked and used by others. It also helps to coordinate session data with a user account and hardwar specifications to further reduce possibility of session hijacking

• UUID/GUID : UUID’s are using by databases to obscure the ID. This is ‘security through obscurity’ and allows you to send keys through the URL which can later be changed/rotated out. This is good practice for helping to avoid data mining and others using your API’s for their own purposes.

• RBAC/ABAC : Role-based access control(RBAC) is a way to limit access to specific ‘roles’ (as specified in your JWT). This makes it so permissions have to be set and allowed in order to access an api endpoint. This along with ABAC, also allows you to limit what can be sent and returned from an endpoint.

Conclusion

This by no means is a complete list but this provides the basics for securing your api endpoints on your backend.