# Catatan Seekor: API Security > **"API security is critical because APIs are the gateway to your data and business logic"** ## 📚 Overview API Security adalah praktik melindungi Application Programming Interfaces (APIs) dari berbagai ancaman cyber. Dengan meningkatnya penggunaan APIs dalam aplikasi modern, keamanan API menjadi sangat penting untuk melindungi data dan sistem. ## 🎯 Learning Objectives * Memahami ancaman keamanan API * Menerapkan authentication dan authorization untuk API * Mengimplementasikan rate limiting dan input validation * Mengamankan API gateway dan monitoring ## 📖 Table of Contents * [API Authentication](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/authentication.md) * [API Authorization](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/authorization.md) * [Rate Limiting](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/rate-limiting.md) * [Input Validation](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/input-validation.md) * [API Gateway Security](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/gateway.md) * [Testing & Security](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/testing.md) ## 🚨 API Security Threats ### **Common Vulnerabilities** * **Broken Authentication**: Weak API keys, tokens * **Broken Object Level Authorization**: IDOR vulnerabilities * **Excessive Data Exposure**: Over-sharing sensitive data * **Lack of Rate Limiting**: DDoS and brute force attacks * **Mass Assignment**: Unauthorized data modification ### **Attack Vectors** * **API Key Exposure**: Leaked credentials * **Token Hijacking**: Stolen JWT tokens * **Parameter Pollution**: Manipulated request parameters * **Injection Attacks**: SQL, NoSQL, command injection * **Replay Attacks**: Captured and replayed requests ## 🚀 Quick Start ### **Untuk Pemula** 1. Mulai dengan [API Authentication](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/authentication.md) 2. Pelajari [Input Validation](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/input-validation.md) 3. Pahami [Rate Limiting](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/rate-limiting.md) ### **Untuk Developer** 1. Implementasi [API Gateway Security](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/gateway.md) 2. Pelajari [API Authorization](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/authorization.md) 3. Kuasai [Testing & Security](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/testing.md) ## 📚 Referensi & Resources ### **Essential Reading** * [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) * [OWASP API Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/API_Security_Cheat_Sheet.html) * [REST API Security](https://restfulapi.net/security-essentials/) ### **Tools & Frameworks** * [OWASP ZAP](https://owasp.org/www-project-zap/) - API security testing * [Postman](https://www.postman.com/) - API development and testing * [Kong](https://konghq.com/) - API gateway * [Apigee](https://cloud.google.com/apigee) - API management platform ## 🎯 Best Practices * ✅ Implement strong authentication (OAuth 2.0, JWT) * ✅ Use HTTPS for all API communications * ✅ Implement proper rate limiting * ✅ Validate and sanitize all inputs * ✅ Use API versioning * ✅ Implement comprehensive logging * ✅ Regular security testing ## 🚨 Security Checklist * [ ] Authentication implemented * [ ] Authorization configured * [ ] Rate limiting enabled * [ ] Input validation in place * [ ] HTTPS configured * [ ] Security headers set * [ ] Monitoring implemented * [ ] Testing completed ## 📊 Implementation Examples ### **API Authentication (Node.js)** ```javascript const express = require('express'); const jwt = require('jsonwebtoken'); const rateLimit = require('express-rate-limit'); const app = express(); // Rate limiting const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100 // limit each IP to 100 requests per windowMs }); app.use(limiter); // JWT middleware const authenticateToken = (req, res, next) => { const authHeader = req.headers['authorization']; const token = authHeader && authHeader.split(' ')[1]; if (!token) { return res.sendStatus(401); } jwt.verify(token, process.env.JWT_SECRET, (err, user) => { if (err) return res.sendStatus(403); req.user = user; next(); }); }; // Protected route app.get('/api/protected', authenticateToken, (req, res) => { res.json({ message: 'Protected data', user: req.user }); }); ``` ### **Input Validation (Python/Flask)** ```python from flask import Flask, request, jsonify from marshmallow import Schema, fields, ValidationError import re app = Flask(__name__) class UserSchema(Schema): username = fields.Str(required=True, validate=lambda x: len(x) >= 3) email = fields.Email(required=True) age = fields.Int(validate=lambda x: 18 <= x <= 120) def validate_input(data, schema): try: return schema.load(data) except ValidationError as e: return None, e.messages @app.route('/api/user', methods=['POST']) def create_user(): schema = UserSchema() valid_data, errors = validate_input(request.json, schema) if errors: return jsonify({'errors': errors}), 400 # Process valid data return jsonify({'message': 'User created', 'data': valid_data}), 201 ``` ## 🤝 Contributing Kontribusi sangat dihargai! Silakan fork, branch, commit, dan buat Pull Request. ## 📄 License Tersedia di bawah [MIT License](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-api-security/LICENSE/README.md). *** **⚠️ Disclaimer**: Untuk pembelajaran. Test di environment aman dan konsultasi dengan experts. **🛡️ Remember**: Secure your APIs to protect your data and users!