5 Ways to Secure a REST API

🔐 5 Ways to Secure a REST API

1️⃣ Authentication (Who are you?)

Ensure only valid users can access the API.

Common methods:

  • JWT Token (most popular)

  • OAuth2 / OpenID Connect

  • API Keys (for system-to-system)

Example (.NET Core – JWT):

[Authorize]
[HttpGet("products")]
public IActionResult GetProducts()
{
    return Ok();
}

📌 Client sends token:

Authorization: Bearer <JWT_TOKEN>

2️⃣ Authorization (What are you allowed to do?)

Control who can access which endpoint.

Example: Role-based authorization

[Authorize(Roles = "Admin")]
[HttpDelete("products/{id}")]
public IActionResult Delete(int id)
{
    return Ok();
}

📌 Only users with Admin role can delete.

3️⃣ Use HTTPS Everywhere

Encrypt data in transit to prevent attacks (Man-in-the-middle).

In .NET Core:

app.UseHttpsRedirection();

In Azure App Service:

  • Enforce HTTPS Only (ON)

📌 Protects passwords, tokens, sensitive data.

4️⃣ Input Validation & Protection Against Attacks

Prevent:

  • SQL Injection

  • XSS

  • Overposting

  • Invalid data

Example:

public class ProductDto
{
    [Required]
    [StringLength(100)]
    public string Name { get; set; }

    [Range(1, 100000)]
    public decimal Price { get; set; }
}

📌 Always validate DTOs, not entities.

5️⃣ Rate Limiting & Throttling

Protect API from abuse & DDoS.

Example (.NET 7+):

builder.Services.AddRateLimiter(options =>
{
    options.AddFixedWindowLimiter("fixed", opt =>
    {
        opt.PermitLimit = 100;
        opt.Window = TimeSpan.FromMinutes(1);
    });
});

app.UseRateLimiter();

📌 Limits requests per user/IP.

⭐ Bonus Security Practices (Mention if asked)

  • Store secrets in Azure Key Vault

  • Use CORS properly

  • Log & monitor suspicious activity

  • Don’t expose stack traces in production

  • Use Refresh Tokens for JWT

🎯 Interview 1-Line Answer

“I secure APIs using authentication with JWT, role-based authorization, HTTPS, proper input validation, and rate limiting to prevent abuse.”

Comments

Post a Comment

Popular posts from this blog

.NET Core Interview Questions and Answers for 10+ Years Experienced Professionals

  🔹 Core Concepts Q1. What are the key differences between .NET Framework, .NET Core, and .NET 5/6/7+? Answer: .NET Framework – Windows-only, older, supports legacy apps. .NET Core – Cross-platform (Windows, Linux, macOS), modular, open-source, better performance. .NET 5+ (unified platform) – Combines .NET Core and .NET Framework into one platform with continuous updates (no ".NET Core 4"). Q2. Explain the Middleware pipeline in ASP.NET Core. Answer: Middleware is a software component that processes HTTP requests and responses. It forms a pipeline where each component can handle, pass, or short-circuit a request. Example: app.UseRouting(); app.UseAuthentication(); app.UseAuthorization(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); Custom middleware can be added using app.Use(...) . Q3. What are Hosting Models in .NET Core? Answer: In-Process hosting – App runs inside IIS worker process ( w3wp.exe ), better perf...
Read more

What are SOLID Principles?

  SOLID is an acronym for five object-oriented design principles that make software more understandable, flexible, and maintainable. 1. S - Single Responsibility Principle (SRP) A class should have only one reason to change. Bad Example (Violating SRP): csharp public class UserService { public void RegisterUser ( string username , string email , string password ) { // Validate user data if ( string . IsNullOrEmpty ( username ) || string . IsNullOrEmpty ( email ) ) throw new ArgumentException ( "Username and email are required" ) ; if ( ! email . Contains ( "@" ) ) throw new ArgumentException ( "Invalid email format" ) ; // Hash password string hashedPassword = BCrypt . Net . BCrypt . HashPassword ( password ) ; // Save to database using ( var connection = new SqlConnection ( "connection_string" ) ) ...
Read more

.NET Core Senior Interview Q&A

  🔹 1. .NET Core Fundamentals Q1. What is the difference between .NET Framework, .NET Core, and .NET 5/6/7? Answer: .NET Framework → Windows-only, monolithic. .NET Core → Cross-platform, modular, open-source. .NET 5/6/7/8 → Unified platform (.NET Core + Mono). Example: In my current project, we migrated from .NET Framework 4.7.2 to .NET 6 for cross-platform support and performance gains (reduced API response time by ~30%).             Windows-only Means the .NET Framework can run only on Windows OS . You cannot directly run .NET Framework apps on Linux or macOS. Monolithic Monolithic application = a single, large, tightly-coupled unit . All layers (UI, business logic, data access) are bundled together and deployed as one package . Even a small change (e.g., fixing a bug in UI) requires rebuilding and redeploying the entire application . Scaling is harder → you must scale the whole app , not just the part th...
Read more