This document contains guidelines that will help you create and consume APIs in a secure way.
The guidelines are inspired by the document "OWASP cheat for REST Security" which you can find here: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html.
General guidelines for securing REST based APIs
Info |
---|
Secure all endpoints using HTTPS Among other things, this will protect Access Tokens that are transferred between HelseID and the API-klient, as well as between API-clients and API endpoints. |
Info |
---|
Perform access control on every endpoint Even if the API is hidden behind an API Gateway. |
Info |
---|
Require JWTs as security tokens |
Info |
---|
Restrict which HTTP methods that are used Reject every HTTP methods that is not in use by responding with the HTTP status code 405 - "method not allowed" |
Info |
---|
Validate every input parameter
|
Info |
---|
Validate "content types" If you don’t validate "content type" you open up for injecting and execution of code
|
Info |
---|
Security headers
|
Info |
---|
Riktig bruk av CORS.
|
Info |
---|
Make sure your APIs always sends correct HTTP response codes |
Note |
---|
Avoid the exposure of enpoints for administration on the internet |
...
Be careful when handling errors
...
Reply with generic error messages - avoid exposing details about the error if its not neccessary
...
page has been moved to this location (Norwegian), and this location (English).