Top 15 API Security

Questions from
Job Interviews
1. What is the difference between
Authentication and Authorization

in API Security?
Authentication is the process of
verifying the identity of a user,
application or system. It establishes
that a user is who they claim to be by
confirming credentials like usernames,
passwords, or API keys. For example,
using OAuth or Basic Authentication.
 Authorization, on the other hand, is the
process of granting specific permissions
to a user or application based on their
authenticated identity. It determines
what actions or resources they are
permitted to access. One way to implement
authorization is by utilizing Role-Based
Access Control (RBAC).

2. What are the common security risks

associated with APIs and how do you
mitigate them?
API security risks include unauthorized
access, data leakage, injection attacks,
weak authentication, and lack of rate-
limiting. To mitigate these risks
Implement strong authentication and
authorization mechanisms (e.g., OAuth,
JWT)
Validate, sanitize, and filter input
data to prevent injection attacks
Employ rate-limiting to prevent abuse
and DoS (Denial of Service) attacks
Encrypt data in transit (e.g., using
HTTPS) and at rest
Regularly conduct security reviews and
vulnerability assessments.
3. What are API keys, and why are they
important for API security?
API keys are unique identifiers used to
authenticate requests made to an API.
They are important because they allow API
providers to track and control the usage
of their services. Proper management of
API keys helps prevent unauthorized
access to the API and can provide
insights into who is accessing the data
and how.

4. What is OAuth and how does it

contribute to API security?
OAuth is an open-standard authorization
protocol that allows applications and
users to authenticate and provide
granular permissions for accessing API
resources. It enables secure access
delegation without giving third-party
applications the user's credentials.
OAuth contributes to API security by
providing standardized methods for
authentication and authorization,
reducing the risk of insecure custom
implementations.
5. What is Cross-Origin Resource Sharing
(CORS) and how does it impact API
security?
CORS is a mechanism that allows many
resources, such as web pages or APIs, to
be requested from another domain. It is a
security feature implemented in modern
web browsers to prevent cross-origin
attacks, where a malicious web page makes
requests to a different domain with the
user's credentials. CORS is implemented
by servers using HTTP headers to specify
which origins and methods are allowed to
access their resources.

6. How can you ensure data privacy and

protect sensitive information in APIs?
To ensure data privacy and protect
sensitive information in APIs
Limit the amount of data exposed
through the API
Encrypt sensitive data in transit
(HTTPS) and at rest (database
encryption);
 Implement access controls and
authentication mechanisms to restrict
access to authorized users
Regularly update and patch software to
fix security vulnerabilities
Use hashing or tokenization to protect
sensitive data (e.g., passwords).

7. What is JSON Web Token (JWT) and

how is it used in API security?
JWT is a compact, URL-safe, and self-
contained token format used for secure
transmission of claims between parties.
It is commonly used as an access token in
OAuth flows. JWTs can be signed or
encrypted, ensuring data integrity and
confidentiality. In API security, JWTs
provide a mechanism to authenticate and
authorize user requests without having to
store session data on the server.

8. What is an API Gateway, and how

does it improve API security?
 An API Gateway is an intermediary server
that sits between clients and the backend
services, routing and processing incoming
API requests. It can improve API security
by abstracting the internal services and
providing a single entry point. Common
security features include authentication,
authorization, rate-limiting, input
validation, and logging. By centralizing
these features, API gateways can reduce
the attack surface and provide consistent
security policies.

9. How can rate-limiting improve API

security?
Rate-limiting controls the number of
requests that can be made to an API in a
certain time frame, preventing excessive
usage and potentially mitigating DoS
attacks, data scraping, and brute-force
attempts. By applying rate-limiting
rules, you can protect your API from
resource exhaustion and ensure its
availability for all users.
10. What is the purpose of API security
audits and vulnerability assessments?
API security audits and vulnerability
assessments are conducted to identify
potential weaknesses and vulnerabilities
in an API. They involve reviewing the
architecture, design, implementation, and
deployment of the API, followed by
automated or manual testing. These
processes help developers and security
teams identify, prioritize, and address
vulnerabilities, leading to a more secure
and robust API.

11. What are some security-related HTTP

headers that can be used to improve API
security?
Some examples of security-related HTTP
headers that can improve API security
include
Content-Security-Policy: Defines rules
to prevent cross-site scripting (XSS)
and other code injection attacks
Strict-Transport-Security: Enforces the
use of HTTPS for all future requests;
 X-Content-Type-Options: Prevents MIME-
based attacks by disabling content-type
sniffing
X-XSS-Protection: Provides basic
protection against XSS attacks
X-Frame-Options: Prevents clickjacking
by restricting iframe embedding.

12. How can logging and monitoring help

maintain API security?
Logging and monitoring help maintain API
security by providing visibility into API
usage and potential security incidents.By
analyzing logs and monitoring metrics,
you can identify suspicious behavior,
audit access, track usage patterns, and
detect anomalies in real-time. This data
can be used to inform security policies
and bolster your overall API security
posture.

13. What is a Web Application Firewall

(WAF), and how does it help protect
APIs?
 A WAF is a security solution that
protects web applications and APIs by
filtering, monitoring, and blocking
malicious HTTP traffic. It can detect and
prevent common attacks, such as SQL
injection, XSS, and CSRF, by examining
incoming requests and applying pre-defined
rules or heuristics. WAFs can help
protect APIs by providing an additional
security layer to complement existing API
security measures.

14. What is the role of encryption in API

security, and what are the differences
between symmetric and asymmetric
encryption?
Encryption is the process of encoding
data to ensure its confidentiality,
integrity, and availability. In API
security, encryption is vital for
protecting data in transit (e.g., HTTPS)
and at rest (e.g., database encryption).
Symmetric encryption uses a single key to
encrypt and decrypt data, which is faster
but requires secure key exchange.
 Asymmetric encryption uses a public-
private key pair, where the data is
encrypted with the public key and
decrypted with the private key, providing
better key management at the expense of
performance.

15. What is a penetration test, and how

can it be applied to API security?
A penetration test is a real-world attack
simulation designed to evaluate the
security of an API by attempting to
exploit any vulnerabilities or weaknesses
within the system. Conducting penetration
tests on APIs can help identify potential
vulnerabilities that may not be apparent
during security reviews or vulnerability
assessments. By testing APIs from an
attacker's perspective, you can better
understand their limitations and provide
insights crucial for improving overall
security.

Follow Wallarm on LinkedIn

https://linkedin.com/company/wallarm