What do you think?
Rate this book
API Security in Action
A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments.
576 pages, Paperback
Published January 1, 2020
44 people are currently reading
277 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 15 of 15 reviews
January 16, 2025
Security bilgim sınırlı olduğundan kitap benim için epey faydalı oldu. Ama içindeki bazı kısmların standartlaşmamış olması beni epey şaşırttı ve bu alandaki genel bilginin de sınırlı olduğu / gerekli özenin gösterimlediği sonucunu teyit etti. Boşuna her gün bir yerleri indirmiyorlar. :P Neyse biz enseyi karartmadan üzerine koymaya devam edelim�
Ne diyorum? Macaroons mesela. Bayıldım bu konsepte. JWT, OAuth gibi bunun da bir standart haline gelmesi ve yaygınlaşmasını isterim. Kendi başlığı var. Ama daha henüz jwt anlatırken kitap biraz değinmişti ki ben “Eureka!� diye koşmaya başladım daha o chapter’da! Evet, mizansen gereği çıplak bir şekilde. :P Gerçekten kendi bölümünde de güzel örneklendirilmiş. Macaroons ve ceveat kavramlarına ben şimdi değinmeyeceğim. Merak edenlere ev ödevi olsun. :) Kitabı okurken biz de chatgpt ile hak ettiği ilgiliyi görmemesine serzenişte bulunduk� Macaroons özelinde bu sadece yerel bir durum değil bu arada. Konuyu FAANG’a havale ediyorum.
[image error]
Evet, security konusu aslında çok geniş bir saha. API - Application Security benim kendimi mesul tutacağım bir alan olsa da öyle bir şey pratikte yok. Çünkü her durumda en zayıf halkan kadar güvenlisin. Şu bileşenlerin hepsine gerekli ehemmiyeti göstermek gerek. E ama bir yerden de başlamalı ise bu kitap doğru bir başlangıç olacaktır. Tüm “in Action� serisinde olduğu gibi bu kitap da somut örneklerle devam ediyor.
Buradan tüm bölümlere bakılabilir. Kitapla paralel geliştirmek tabii daha iyi olacaktır. Ben sadece kendime daha güncel ödevler belirleyip devam ettim. “In Action� serilerinde olabilecek bir handikap bu. Sonuçta teknoloji ilerliyor. Konseptler ok. Ama bunları nasıl uyguladığmız zamanla farklılaşıyor. E bu da bizim ekmek kapımız oluyor; bu dönüşümler. En azından mevcut uygulamadan (implementation) ziyade yine de konseptlere odaklanmaya çalışştım ben kendi adıma�
Sonralara doğru bazı kısımları birbirine karıştırmaya başladığım oldu. Ama onun önüne geçmek için baştan itibaren anladığım konseptleri ayrı başlıklar halinde kendime özetler çıkarmıştım. Dönüp notlarıma bakmak ya da eksik notları eklemek sonraki tekrarlar için işlerimi epey kolaylaştıracak diye düşünüyorum. Misal:
XSS, CSRF, CORS
How Bad are Cookies?
Https - tls
Hmac, sha, aes, pkcs12
Key or certificate
Managing HMAC Token with Spring Cloud
OAuth 2 with Spring Authorization Server
Attribute-based access control - Drools
DNS poisoning
PCI DSS Level 1
Nitro Clave
OWASP ASVS (Application Security Verification Standard) - OWASP Level 3
GDPR
Token Consistency - Bu olmadan da güzel çözümler var.
Stride
OAuth2 and OpenId Connect
2FA - macaroons
Kubernetes Security Best Practices
gibi gibi�
Biraz kitaptaki başlıklar neler onları da hafiften çıtlatmış oldum. Benim için hem zor, hem de çok keyifli bir yolculuktu. Hep dediğim durum burada da çok net ortaya çıktı. Okudukça cehalet haritamın ne kadar büyük olduğunu bir kez daha gördüm. Ama yine ışıl ışılım. Öğrenmeye devam�
Ah yazı bittiydi be! Ama ama bir de son olarak şunu ekleyeyim: Kitaba ben “Bir api hizmeti veren şirketin ‘API Security� adına neler yapması lazım?� bakış açısıyla yaklaşıp yapılacak iş listesi (task) çıkararak ilerledim. Böylece kitap “In Action In Action� halini alldı. :P Actionception şakasıyla da yazımı zirvede tamamlayayım.
Ne diyorum? Macaroons mesela. Bayıldım bu konsepte. JWT, OAuth gibi bunun da bir standart haline gelmesi ve yaygınlaşmasını isterim. Kendi başlığı var. Ama daha henüz jwt anlatırken kitap biraz değinmişti ki ben “Eureka!� diye koşmaya başladım daha o chapter’da! Evet, mizansen gereği çıplak bir şekilde. :P Gerçekten kendi bölümünde de güzel örneklendirilmiş. Macaroons ve ceveat kavramlarına ben şimdi değinmeyeceğim. Merak edenlere ev ödevi olsun. :) Kitabı okurken biz de chatgpt ile hak ettiği ilgiliyi görmemesine serzenişte bulunduk� Macaroons özelinde bu sadece yerel bir durum değil bu arada. Konuyu FAANG’a havale ediyorum.
[image error]
Evet, security konusu aslında çok geniş bir saha. API - Application Security benim kendimi mesul tutacağım bir alan olsa da öyle bir şey pratikte yok. Çünkü her durumda en zayıf halkan kadar güvenlisin. Şu bileşenlerin hepsine gerekli ehemmiyeti göstermek gerek. E ama bir yerden de başlamalı ise bu kitap doğru bir başlangıç olacaktır. Tüm “in Action� serisinde olduğu gibi bu kitap da somut örneklerle devam ediyor.
Buradan tüm bölümlere bakılabilir. Kitapla paralel geliştirmek tabii daha iyi olacaktır. Ben sadece kendime daha güncel ödevler belirleyip devam ettim. “In Action� serilerinde olabilecek bir handikap bu. Sonuçta teknoloji ilerliyor. Konseptler ok. Ama bunları nasıl uyguladığmız zamanla farklılaşıyor. E bu da bizim ekmek kapımız oluyor; bu dönüşümler. En azından mevcut uygulamadan (implementation) ziyade yine de konseptlere odaklanmaya çalışştım ben kendi adıma�
Sonralara doğru bazı kısımları birbirine karıştırmaya başladığım oldu. Ama onun önüne geçmek için baştan itibaren anladığım konseptleri ayrı başlıklar halinde kendime özetler çıkarmıştım. Dönüp notlarıma bakmak ya da eksik notları eklemek sonraki tekrarlar için işlerimi epey kolaylaştıracak diye düşünüyorum. Misal:
XSS, CSRF, CORS
How Bad are Cookies?
Https - tls
Hmac, sha, aes, pkcs12
Key or certificate
Managing HMAC Token with Spring Cloud
OAuth 2 with Spring Authorization Server
Attribute-based access control - Drools
DNS poisoning
PCI DSS Level 1
Nitro Clave
OWASP ASVS (Application Security Verification Standard) - OWASP Level 3
GDPR
Token Consistency - Bu olmadan da güzel çözümler var.
Stride
OAuth2 and OpenId Connect
2FA - macaroons
Kubernetes Security Best Practices
gibi gibi�
Biraz kitaptaki başlıklar neler onları da hafiften çıtlatmış oldum. Benim için hem zor, hem de çok keyifli bir yolculuktu. Hep dediğim durum burada da çok net ortaya çıktı. Okudukça cehalet haritamın ne kadar büyük olduğunu bir kez daha gördüm. Ama yine ışıl ışılım. Öğrenmeye devam�
Ah yazı bittiydi be! Ama ama bir de son olarak şunu ekleyeyim: Kitaba ben “Bir api hizmeti veren şirketin ‘API Security� adına neler yapması lazım?� bakış açısıyla yaklaşıp yapılacak iş listesi (task) çıkararak ilerledim. Böylece kitap “In Action In Action� halini alldı. :P Actionception şakasıyla da yazımı zirvede tamamlayayım.
June 7, 2021
A very decent book on the subject.
It's still intermediate (but not novice) level and the real experience you'll get in Production.
But, all the main API/security topics along with examples are there and the material is well structured.
It's still intermediate (but not novice) level and the real experience you'll get in Production.
But, all the main API/security topics along with examples are there and the material is well structured.
June 16, 2021
Impressive book. It overviews everything from classic XSS protection to IoT security protocols and Kubernetes security options.
I didn't even think it was possible to make it with practical examples, but the author did it. A lot of new and actually useful in daily work information (for a programmer).
I didn't even think it was possible to make it with practical examples, but the author did it. A lot of new and actually useful in daily work information (for a programmer).
November 8, 2021
A thoughtfully written book, great for beginners or intermediate level software developers. If there was one section on api gateways from aws, gcp or azure covering serverless apis it would have been an all time great book.
December 5, 2024
API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography.
A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the technology APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs—including microservices and cloud-native applications—demand a comprehensive, multi-layered approach to security for both private and public-facing APIs. About the book API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you’re done, you’ll be able to create APIs that stand up to complex threat models and hostile environments. What's inside Authentication Authorization Audit logging Rate limiting Encryption About the reader For developers with experience building RESTful APIs. Examples are in Java. About the author Neil Madden has in-depth knowledge of applied cryptography, application security, and current API security technologies. He holds a Ph.D. in Computer Science.
Table of Contents
PART 1 - FOUNDATIONS
1 What is API security?
2 Secure API development
3 Securing the Natter API
PART 2 - TOKEN-BASED AUTHENTICATION
4 Session cookie authentication
5 Modern token-based authentication
6 Self-contained tokens and JWTs
PART 3 - AUTHORIZATION
7 OAuth2 and OpenID Connect
8 Identity-based access control
9 Capability-based security and macaroons
PART 4 - MICROSERVICE APIs IN KUBERNETES
10 Microservice APIs in Kubernetes
11 Securing service-to-service APIs
PART 5 - APIs FOR THE INTERNET OF THINGS
12 Securing IoT communications
13 Securing IoT APIs
I had to skip Part 5 which was about API Security for IOT which was not my line of work. I think I will have read more on API Security before I appreciate the book completely.
A web API is an efficient way to communicate with an application or service. However, this convenience opens your systems to new security risks. API Security in Action gives you the skills to build strong, safe APIs you can confidently expose to the world. Inside, you’ll learn to construct secure and scalable REST APIs, deliver machine-to-machine interaction in a microservices architecture, and provide protection in resource-constrained IoT (Internet of Things) environments. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the technology APIs control data sharing in every service, server, data store, and web client. Modern data-centric designs—including microservices and cloud-native applications—demand a comprehensive, multi-layered approach to security for both private and public-facing APIs. About the book API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography. When you’re done, you’ll be able to create APIs that stand up to complex threat models and hostile environments. What's inside Authentication Authorization Audit logging Rate limiting Encryption About the reader For developers with experience building RESTful APIs. Examples are in Java. About the author Neil Madden has in-depth knowledge of applied cryptography, application security, and current API security technologies. He holds a Ph.D. in Computer Science.
Table of Contents
PART 1 - FOUNDATIONS
1 What is API security?
2 Secure API development
3 Securing the Natter API
PART 2 - TOKEN-BASED AUTHENTICATION
4 Session cookie authentication
5 Modern token-based authentication
6 Self-contained tokens and JWTs
PART 3 - AUTHORIZATION
7 OAuth2 and OpenID Connect
8 Identity-based access control
9 Capability-based security and macaroons
PART 4 - MICROSERVICE APIs IN KUBERNETES
10 Microservice APIs in Kubernetes
11 Securing service-to-service APIs
PART 5 - APIs FOR THE INTERNET OF THINGS
12 Securing IoT communications
13 Securing IoT APIs
I had to skip Part 5 which was about API Security for IOT which was not my line of work. I think I will have read more on API Security before I appreciate the book completely.
October 3, 2021
The first 100 pages were pretty slow, basically setting up a java web service that's used by a web page provided by a java controller, and only having Basic auth and cookies in the first 100 pages. He used libraries that I wouldn't use for actual projects - but he used them to make it more language-agnostic instead of making it all about Spring. The choice makes sense.
It got quite good after the slow start though. It adds little improvements along the way, explaining the rationale for each. Each step has warnings about the security issues that are being introduced, then works through fixing them while adding more context.
It was light on sqli and xss since it's an api security book, not a web dev book, but it touched on them. The CSRF, CORS, and cookie sections were good (covered samesite and calls from js), then moved from cookies to localStorage, token auth, hmac for token auth, jwt with hmac, encrypted jwt with hmac with good notes around crypyo algorithm selection.
The oath2 and oidc chapter was very obvious by the time it got to it because you had basically built an oath2 service in the previous chapters, so you learned critical thinking around the design decisions that went into it. Still some solid notes on applying it, including some notes I don't recall seeing before.
The "Identity Unlocked" podcast is worth listening to if you're interested in this subject.
It got quite good after the slow start though. It adds little improvements along the way, explaining the rationale for each. Each step has warnings about the security issues that are being introduced, then works through fixing them while adding more context.
It was light on sqli and xss since it's an api security book, not a web dev book, but it touched on them. The CSRF, CORS, and cookie sections were good (covered samesite and calls from js), then moved from cookies to localStorage, token auth, hmac for token auth, jwt with hmac, encrypted jwt with hmac with good notes around crypyo algorithm selection.
The oath2 and oidc chapter was very obvious by the time it got to it because you had basically built an oath2 service in the previous chapters, so you learned critical thinking around the design decisions that went into it. Still some solid notes on applying it, including some notes I don't recall seeing before.
The "Identity Unlocked" podcast is worth listening to if you're interested in this subject.
August 7, 2023
Learned a lot about how to keep APIs secure which, I guess, means the book does what it set out to do (eg. STRIDE model, XSS/ReDOS attacks, JWTs, OAuth, macaroons). It breaks down injection attacks (e.g. SQL) to a deeper level than how I understood it before regarding how bind variables work with a database.
But I learned a lot about APIs in general from this book, such as how routes work (this is how HTTP requests are mapped into method calls for the URI and the controller object).
Plenty of jump-off points to go deeper into certain technical topics too which was very nice to have, however, this book has been sufficiently comprehensive over the past year.
But I learned a lot about APIs in general from this book, such as how routes work (this is how HTTP requests are mapped into method calls for the URI and the controller object).
Plenty of jump-off points to go deeper into certain technical topics too which was very nice to have, however, this book has been sufficiently comprehensive over the past year.
October 13, 2022
Surprisingly thorough and enjoyable guide to the API security. It covers a broad range of topics covering server security, IoT device communications, and even Kubernetes. The info presented here is explained clearly and is complemented by very helpful diagrams. You really feel that the author knows what he's talking about.
I especially enjoyed snippets of history about past security breaches and how they were dealt with.
Overall, it's a really great guide that has something to be found by the begginer as well as the adept.
I especially enjoyed snippets of history about past security breaches and how they were dealt with.
Overall, it's a really great guide that has something to be found by the begginer as well as the adept.
March 30, 2024
This is the best book on security I've ever read and one of the best technical books I've ever read.
If you want to get a concise, engaging and accessible yet comprehensive overview of web apps security - this book is for you. It reads like a well written prose.
The quality of writing is top notch. Sadly, all too often we have this experience struggling to understand technical texts. This book is a perfect example of how technical texts should be written. Every concept has real life example and it's not just a theoretical example - you run it on your station, and it works. You don't need to be a genius to run the examples.
Although I knew most of the concepts described in the book, I found the book valuable since now I feel like I have complete overview now.
I would recommend this book to absolutely everyone who works with web apps not only backend devs (including PO, QA, DevOps).
I can also recommend this book as a checklist for your app - basically you need to make sure that all the concepts from the book are covered.
This book is not for you:
* if you don't have understanding how web applications work (can't be your first book on web development)
* if you are looking for a detailed guide on areas outside of the book's focus area. E.g. UI specifics (CSP, clickjacking and other browser only aspects of security) or cryptography deep aspects.
Threat modelling is also touched in the book BTW.
If you want to get a concise, engaging and accessible yet comprehensive overview of web apps security - this book is for you. It reads like a well written prose.
The quality of writing is top notch. Sadly, all too often we have this experience struggling to understand technical texts. This book is a perfect example of how technical texts should be written. Every concept has real life example and it's not just a theoretical example - you run it on your station, and it works. You don't need to be a genius to run the examples.
Although I knew most of the concepts described in the book, I found the book valuable since now I feel like I have complete overview now.
I would recommend this book to absolutely everyone who works with web apps not only backend devs (including PO, QA, DevOps).
I can also recommend this book as a checklist for your app - basically you need to make sure that all the concepts from the book are covered.
This book is not for you:
* if you don't have understanding how web applications work (can't be your first book on web development)
* if you are looking for a detailed guide on areas outside of the book's focus area. E.g. UI specifics (CSP, clickjacking and other browser only aspects of security) or cryptography deep aspects.
Threat modelling is also touched in the book BTW.
January 18, 2025
As a sofware engineer working, most of the time, on backend web APIs, this is the best book on security I've read so far. This is "tailor-made" for this kind of professionals: no more / no less information you need. It has a very progressive approach, presenting the easier / more naive techniques then incrementing them to cover more complex scenarios. This is not a five-star to me just because I missed more references on subjects that the book don't go in depth, like specific standards / protocols. Also, some times, the book get a bit "dry", making you lose the interest on the chapter due to the depth it goes on very specific contexts (unless you are really working with that specific subject). Anyway, those are very common problem of many technical books. This is, certainly, of one those books that becomes a referenc and you will, certainly, return to it in your professional life to consult about that specific subject when a doubt arise.
December 29, 2022
This is a recommended book to understand fundamental aspects of api security. You don't need to have any prerequisite knowledge to grasp all things laid out in the book. The author has explained very clearly and details for each concepts he brought up.
February 22, 2022
good overview of the topic in its present state.
a book is a bit wordy, but ok.
a book is a bit wordy, but ok.
December 23, 2022
A comprehensive walkthrough of every aspects of API Security and its multitude levels of complexity. The book is a gem and should be read by anyone that has some interest in the topic.
January 19, 2022
A great book. I could learn a lot about API security concepts and practice with detailed examples. I skipped last part of it (IoT related) but generally it addressed all the things to consider when you build secure API application.
December 30, 2024
API security aspects explained in details. However some of the parts which are no more used these days might have been skipped.
Displaying 1 - 15 of 15 reviews
Can't find what you're looking for?
Get help and learn more about the design.