Issue 42: HTTP Security Headers

This week, we look into a validation vulnerability in Cisco APIs, security best practices for HTTP headers and OAuth 2.0, and the effect of microservice architectures on API security.

Vulnerabilities: Cisco

Cisco has fixed an API vulnerability in their Vision Dynamic Signage Director. The vulnerability stemmed from insufficient validation of incoming HTTP requests. An unauthenticated remote attacker could craft a payload to exploit the vulnerability and execute arbitrary actions on the system with admin rights.

This is another reminder how important proper data validation is for API security.

Best practices: HTTP security headers

Charlie Belmer published his guide to HTTP security headers that details out the following headers:

  • Content-Security-Policy
  • Strict-Transport-Security
  • X-Content-Type-Options
  • Cache-Control
  • Expires
  • X-Frame-Options
  • Access-Control-Allow-Origin
  • Set-Cookie
  • X-XSS-Protection

The guide also provides samples for how to configure the headers for a web server, and use them in some of the most common programming languages.

Best practices: OAuth 2.0

IETF has published a draft of OAuth 2.0 Security Best Current Practices. The recommendations update and extend the OAuth 2.0 Security Threat Model.

The world has changes a lot since the original standard was released. OAuth is being widely used, including critical applications. The endpoints have also become a lot more dynamic. The new recommendations incorporate practical experiences gathered in the recent years and cover new threats that have emerged.

If the full paper is too technical for you, see Torsten Lodderstedt’s slides “OAuth 2.0 Security Reinforced” that we wrote about in an earlier issue.

Industry trends: Microservices and API security

Microservices are destroying the edge and making application component communications public. They also increase development agility.

Charlotte Dunlap, Principal Analyst for GlobalData, looks into how these trends affect requirements for API security. She also lists relevant tooling trends and vendor offerings.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy