
API Security Best Practices - michaelbuckbee
https://expeditedsecurity.com/api-security-best-practices-megaguide/
======
druvisc
> Unable to contact the client and with support requests pouring in, they
> blocked the client’s IP address in Expedited WAF.

> Using Expedited WAF, the team temporarily blocked access to the site from
> China and was able to remain online to their business customers.

Most used feature of Expedited WAF.

------
ztqc45
Definitely a great resource. I think a lot of the information is a bit too
general though. Example:

>7) Cross Site Scripting (XSS). What is it: Manipulation of your API to
further spread a malicious script. What you should do: Strongly filter all
inputs for both corectness[sic] and script components.

I mean...yeah, but you should do this in all things...

------
harikb
Gist is that they provide IP/region block.

> Using Expedited WAF, the team temporarily blocked access to the site from
> China and was able to remain online to their business customers.

Rest of it is generic API design advice

~~~
gurrone
Yeah recent credential stuffing attacks I witnessed showed that blocking
traffic based on AS numbers is very helpful. If your attacker is stupid User-
Agent based blocks can be surprisingly effective as well. Beside of that rate-
limiting, and if you can, geo blocking can at least slowdown malicious
traffic. It's a bit of pity that the internet is no longer a peer2peer network
and just client-server. But since you've a lot of server only networks, you
can quite safely block them if your API is clients only. You still might see
some false positive due a lot of VPN provider traffic. For what it's worth
free VPN services now also push a lot of malicious traffic.

