Add advanced API security best practices #212
Conversation
|
Is this suggesting both access tokens and mtls? |
Maikuolan
left a comment
Maikuolan
left a comment
There was a problem hiding this comment.
These sound like good additions to me, and I'm generally inclined towards merging, though you've listed some of them twice, and the "API Security Best Practices (Advanced)" has been listed twice, too. I'll leave this open for a little while to allow others the opportunity review and comment, and in the meantime, maybe some of the duplication could be removed and cleaned up a little?
Cheers. :-)
|
Good question! The suggestion is to use mTLS for service-to-service authentication (machine identity) alongside access tokens for user authorization. They serve complementary purposes - mTLS verifies the calling service, while tokens carry user context and permissions. For high-security APIs, using both provides defense in depth. Happy to clarify or adjust the wording if needed! |
|
Good question! The suggestion is to use mTLS for service-to-service authentication (machine identity) alongside access tokens for user authorization. They serve complementary purposes - mTLS verifies the calling service, while tokens carry user context and permissions. For high-security APIs, using both provides defense in depth. Happy to clarify the wording if needed! |
Removed duplicate section as requested by maintainer @Maikuolan. The advanced security tips are now in a single, properly placed section.
|
Fixed! Removed the duplicate sections as requested. The 'API Security Best Practices (Advanced)' section now appears only once, properly placed before the Contribution section. Thank you for the review! |
|
|
||
| ### Rate Limiting & Abuse Prevention | ||
| - [ ] Implement sliding window rate limiting per API key and IP. | ||
| - [ ] Use exponential backoff for repeated failed authentication attempts. |
There was a problem hiding this comment.
This needs a limit - exponential gets pretty long pretty quickly, so you need an explicit timeout too
| ### Rate Limiting & Abuse Prevention | ||
| - [ ] Implement sliding window rate limiting per API key and IP. | ||
| - [ ] Use exponential backoff for repeated failed authentication attempts. | ||
| - [ ] Implement CAPTCHA or proof-of-work challenges after suspicious activity. |
There was a problem hiding this comment.
Your mum is suspicious activity.
~~ everybody I went to highschool with
You might want to be more concrete about what qualifies about "suspicious" activity, since most tools define "not watching all the ads" as suspicious
There was a problem hiding this comment.
Absolutely not wrong, but that said, "suspicious" is also likely to be highly subjective, and opinions of what, exactly, meets the criteria for being "suspicious" is likely to vary significantly from one person to another (and from one context to another; i.e., the intended purpose of the API, the inherent sensitivity and intended consumption of the data provided and so on). Adding clarification in cases where confusion could otherwise be caused is good, but likewise, being preemptively somewhat generic can help to avoid future arguments and nitpicking in cases where the details of the specifics of the matter at hand can be highly opinionated and/or varied. Finding the right balance is often the preferred ideal, but also, I wouldn't stress too much on that front. :-)
| - [ ] Rotate API keys and secrets on a regular schedule. | ||
| - [ ] Use hardware security modules (HSM) for signing operations. | ||
| - [ ] Implement secret scanning in CI/CD pipelines. | ||
| - [ ] Never commit secrets to version control - use environment variables or secret managers. |
There was a problem hiding this comment.
"don't commit secrets" and "scan for secrets" seem like the same point - one is the policy, one is the enforcement mechanism
4 participants
Summary
Added new security checklist items covering advanced topics:
Rate Limiting & Abuse Prevention
GraphQL-Specific Security
Secrets Management
Zero Trust Architecture
These additions help cover modern API security concerns that weren't in the original checklist.