API

/

Security

Vulnerable
Hackable
No inherent security
Problems :

Data leakage
Unauthorized access
Injection attacks
DDoS attacks

Hey everyone! In our blogging app, users read posts and admins add new ones. APIs are like the messengers that carry data between the app and the server. Without them, nothing works! But they are open to abuse.

APIs are doors to your app. If they’re not locked properly, anyone can sneak in—stealing data or crashing your site. Scary, right?

Think about a hacker accessing unpublished blog posts or flooding your site with fake requests. Today, we’ll learn how to stop that!

Some think APIs are secure by default. Nope! Security isn’t automatic—you have to build it in.

Imagine an admin’s secret draft post leaking because we didn’t check who’s asking for it. That’s a data leak—sensitive info slipping out.

What if someone pretends to be the admin and deletes posts? That’s unauthorized access—huge trouble!

Ever heard of SQL injection? It’s like sneaking a command into a search bar to trick the server into spilling all posts.

A flood of fake requests could crash our blog, leaving readers frustrated. That’s a DDoS attack.

API

/

JWT Authentication

    import express, { Request, Response, NextFunction } from 'express';
import jwt from 'jsonwebtoken';
import cookieParser from 'cookie-parser';

const app = express();
app.use(cookieParser());
const SECRET_KEY = 'my-super-secret-key';

interface UserPayload {
  username: string;
}

// Issue JWT on login
app.post('/login', (req: Request, res: Response) => {
  const token = jwt.sign({ username: 'admin' }, SECRET_KEY, { expiresIn: '1h' });
  res.cookie('authToken', token, { httpOnly: true, secure: true });
  res.json({ message: 'Logged in!' });
});

// Middleware to verify JWT
const verifyToken = (req: Request, res: Response, next: NextFunction) => {
  const token = req.cookies.authToken;
  if (!token) return res.status(401).json({ message: 'Access denied' });

  try {
    const verified = jwt.verify(token, SECRET_KEY) as UserPayload;
    (req as any).user = verified; // Add user to request
    next();
  } catch (err) {
    res.status(400).json({ message: 'Invalid token' });
  }
};

// Protected route
app.get('/admin/posts', verifyToken, (req: Request, res: Response) => {
  res.json({ posts: ['Draft Post 1', 'Draft Post 2'] });
});

app.listen(3000, () => console.log('Server running'));

Who’s knocking?
Json Web tokens

The mainstream approach is to authenticate users using your API. Authentication is like checking ID at the door. Only valid users—like our admin—get in.

We’ll use JSON Web Tokens (JWT). It’s a secure pass that proves you’re legit without sharing passwords. In our app, the admin logs in, gets a JWT, and uses it to manage posts. No token? No access!

We've covered this in the authentication lecture, but let's recap. The login route issues a new JWT token, which we can store in a cookie or in a local storage.

Then, each subsequent request reads the token. If the token is absent, the request is unauthenticated and fails.

We can also easily check the integrity of the token in case someone has tampered with its content. This could lead to unauthorised requests. Otherwise, we know who's knocking!

API

/

HTTPS

Lock your data
TLS in action

API Security

/

Rate Limiting

Stop the flood
Throttle Request
Example: 100 requests every 15 minutes.

    import express from 'express';
import rateLimit from 'express-rate-limit';

const app = express();

// Rate limiting middleware
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // 100 requests per IP
  message: 'Too many requests, please try again later!',
});

app.use('/api', limiter);

// Public route for blog posts
app.get('/api/posts', (req: Request, res: Response) => {
  res.json({ posts: ['Post 1', 'Post 2'] });
});

app.listen(3000, () => console.log('Server running'));

The other issues you may run into is someone either accidentally or malevolently flooding your API with millions of requests crashing your application. If so, you might have been targetted by DDoS attack.

Rate limiting caps how many requests someone can send. No more DDoS crashing our blog!

Throttling is a method used to control the number of requests that clients can make to our server, helping to ensure optimal performance. By implementing throttling, we establish a specific time interval during which a client can send a new request. For instance, we can set a rule that allows a client to create a new request only every five seconds. Any requests that arrive before this time period expires will be disregarded. This approach helps manage client activity and keeps our server running smoothly.

Let’s limit users to 100 requests every 15 minutes. Fair for readers, tough on attackers.

Using the express rate limit package, we can easily set the allowed number of requests per IP given the time frame. NextJS allows similar solutions.

API Security

/

Validation and Sanitisation

Validate
Sanitise
zod ...

    // app/api/admin/post/route.ts
import { NextRequest, NextResponse } from 'next/server';
import { z } from 'zod';

// Define the schema for a blog post with Zod
const postSchema = z.object({
  title: z.string().min(1, 'Title must not be empty').max(100, 'Title too long'),
  content: z.string().min(10, 'Content too short'),
  tags: z.array(z.string()).optional(), // Optional tags array
}).strict(); // No extra fields allowed

// POST handler for creating a blog post
export async function POST(req: NextRequest) {
  try {
    // Parse and validate the incoming JSON body
    const body = await req.json();
    const validatedData = postSchema.parse(body);

    // Simulate saving to a database (in a real app, you'd use Prisma or similar)
    const newPost = {
      title: validatedData.title,
      content: validatedData.content,
      tags: validatedData.tags || [],
    };

    return NextResponse.json({ message: 'Post created', post: newPost }, { status: 201 });
  } catch (error) {
    if (error instanceof z.ZodError) {
      // Return validation errors
      return NextResponse.json({ errors: error.errors }, { status: 400 });
    }
    return NextResponse.json({ message: 'Server error' }, { status: 500 });
  }
}

// Example client-side fetch to test it
/*
fetch('/api/admin/post', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ title: 'My First Post', content: 'Hello, world! This is a test post.' })
}).then(res => res.json()).then(console.log);
*/

API Security

/

Conclusions

Key takeaway: APIs must be secured
Start early
Employ more rather than less

Full Stack Development

API Security

API

Security

API

JWT Authentication

API

HTTPS

API Security

Rate Limiting

API Security

Validation and Sanitisation

API Security

Conclusions