I am reading API Security on Action by Neil Madden and I want to code along to make things stick a bit better. Also, I want to practice using Http4K.
// TODO
- Rate limiting (at load-balancer / reverse proxy / API gateway, but opt. also per server for defense in depth)
- Authentication (various methods, do a branch per chapter)
- Audit logging (simple first, maybe explore OT and Honeycomb later)
- Access control
- API with RDBMS storage
- Injection
- Permissions
- Input validation
- Deserialization (https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#other-deserialization-libraries-and-formats)
- Safe output / XSS (esp. when returning HTML)
- Basic Auth
- Safe PW storage
- Encryption / HTTPS / Strict transport security
- Simple audit logging in DB / maybe use SIEM like Honeycomb
- ACL in DB (avoid privilege escalation attacks)
- Session cookie Auth
- Session cookies
- Avoiding session fixation
- Cookie security attributes
- CSRF (SameSite cookies and Hash based double submit pattern)
- Timing attacks
- Modern token-based Auth
- // TODO
- Self-contained tokens and JWTs
- // TODO
- OAuth & OpenID Connect
- // TODO
- Identity based access control
- // TODO
- Capability based access control and macaroons
- // TODO
- K8s
- // TODO
- Securing Service-to-Service APIs
- // TODO
- Securing IOT
- // Not doing that
./gradlew jib
More details on building JIB can be found at https://github.com/GoogleContainerTools/jib/tree/master/jib-gradle-plugin