Master the Secure REST API Before Your Next Interview.png

Digital threats emerge every day around the world. This course will help you build REST APIs with minimal vulnerabilities.

This course diligently crafts the security design around the REST API and gears you up to a Secure Software Development Life Cycle (SSDLC). You’ll learn REST security from start to finish. This includes client and server rendering, the architectural constraints of REST, SSL/TLS/X.509 certificates, choosing the right TLS protocol, version, ciphers, forward secrecy, and the seven tenets of Zero Trust. You’ll also learn how and where to position access control in monolithic and microservices. You’ll also learn to make your application stateless using JWT, and learn the nuances of JWT security, how to put input validation to good use, choosing the right HTTP method to use, and the best practices for various content types.

By the end of this course, you’ll be able to build your next REST API and be confident in its security as measured by the common vulnerability scoring system (CVSS3.1).

Will be provided later

Securing REST API for Web Applications and Services

## What is input validation?
User input is untrusted and has to be tested. It is either a part of the URL or part of the payload. Testing user input is called **input validation**. Input validation helps prevent the system from being exploited by an attacker. Detecting a malicious user is difficult; therefore, all users must be treated as untrusted, and input has to be checked from each one of them.

When we have a REST API, we always validate the data at the entry and exit points. We should also be careful to not give complete details of an error to the end user. Rather, we report all details only to authorized users who maintain the system and need access to error reports.

Let’s learn more about the consequences of a poorly validated REST API.


## Input validation attack
An attack is called an **input validation attack** if a malicious user creates a custom malicious input and feeds it to the REST API. If the REST API is vulnerable, it is susceptible to an attack. 

So, what can the kind of input can be used by an attacker?

Inputs don't always have to be in the form of data points. For example, if we’re working in an employee management system, input does not have to always be some attribute related to an employee. Possible types of input could be code, scripts, commands, and so on.


# What is input validation?
User input is untrusted and has to be tested. It is either a part of the URL or part of the payload. Testing user input is called **input validation**. Input validation helps prevent the system from being exploited by an attacker. Detecting a malicious user is difficult; therefore, all users must be treated as untrusted, and input has to be checked from each one of them.

When we have a REST API, we always validate the data at the entry and exit points. We should also be careful to not give complete details of an error to the end user. Rather, we report all details only to authorized users who maintain the system and need access to error reports.

Let’s learn more about the consequences of a poorly validated REST API.


# Input validation attack
An attack is called an **input validation attack** if a malicious user creates a custom malicious input and feeds it to the REST API. If the REST API is vulnerable, it is susceptible to an attack. 

So, what can the kind of input can be used by an attacker?

Inputs don't always have to be in the form of data points. For example, if we’re working in an employee management system, input does not have to always be some attribute related to an employee. Possible types of input could be code, scripts, commands, and so on.


Understand the nuances of input validation for REST API and the golden rule of security: any input is untrusted and must be validated.

Securing REST API

REST API Input Validation

What is input validation?

Input validation attack