REST (API) is key component to building powerful, scalable web-based applications today. So how to enhance the security feature, since it is working with HTTP communication method. Thence:
1. We should ensure that the HTTP method is valid for the API key/session token and linked collection of resources, record, and action.
2. Authentication – It is better to deploy multi-factor authentication and token-based authentication.
3. Token validation errors should also be logged for audit purpose.
4. Input sanitization.
5. If the classification label of data is private or confidential. A symmetric cryptography will be used to encrypt the data transmitted.
6. Hardrening REST API status return codes instead of 404 (errors) and 200 (success).
Perhaps above items of enhancement not easy to fulfill. However the system developers should be fulfilled the standard requirements. Following the web server security best practice. Apart from that it compliance with HTTP security (RFC7230 – section 9).
Should you have interested of RFC7230 – section 9 standard. Please refer to below url for reference.
This is really great news! There is however one little thing that I”m not 100% comfortable with, which is the promise to not make API changes in the LTS releases. In most cases this would be perfectly fine, but every now and then it”s necessary to add a new API in order to make a game compatible with the newest devices. For example, last year”s release of the iPhone X made it necessary to add the Screen.safeArea API. What I”m wondering is if these simple, but critical APIs will still make it to LTS, otherwise those releases may become effectively useless for a large percentage of developers.