REST (API) is key component to building powerful, scalable web-based applications today. So how to enhance the security feature, since it is working with HTTP communication method. Thence:
1. We should ensure that the HTTP method is valid for the API key/session token and linked collection of resources, record, and action.
2. Authentication – It is better to deploy multi-factor authentication and token-based authentication.
3. Token validation errors should also be logged for audit purpose.
4. Input sanitization.
5. If the classification label of data is private or confidential. A symmetric cryptography will be used to encrypt the data transmitted.
6. Hardrening REST API status return codes instead of 404 (errors) and 200 (success).
Perhaps above items of enhancement not easy to fulfill. However the system developers should be fulfilled the standard requirements. Following the web server security best practice. Apart from that it compliance with HTTP security (RFC7230 – section 9).
Should you have interested of RFC7230 – section 9 standard. Please refer to below url for reference.