Section: Lesson 27: API Security — Modern Front-Door Controls | Ninjutsu - Cybersecurity (FREE version)

Section outline

Lesson Overview: In this lesson, students learn that APIs (Application Programming Interfaces) are the new “front door” to many applications (think mobile app backends, single-page app backends, etc.), and thus securing them is critical. We cover how to secure RESTful and other web APIs through strong authentication, authorization, input validation, rate limiting, and other modern API security practices, referencing common API vulnerabilities (like those in OWASP API Top 10).
- Select activity Micro-Topic 27.1: API Authentication & Authorization – Who Can Call What
  
  Micro-Topic 27.1: API Authentication & Authorization – Who Can Call What
  
  · Learning Goal: Understand how to handle identity and access in APIs – using API keys, tokens (like JWT), OAuth, etc. – and ensuring that each API call properly verifies who is making the call and what they’re allowed to do (preventing issues like unauthorized data access).
- Select activity microtopic 27 1 api auth authorization CONTENT v4
  
  microtopic 27 1 api auth authorization CONTENT v4 SCORM package
- Select activity Micro-Topic 27.2: Input Validation for APIs – No Trust Even in JSON
  
  Micro-Topic 27.2: Input Validation for APIs – No Trust Even in JSON
  
  · Learning Goal: Reinforce that APIs need the same rigorous input validation as web forms. Just because data arrives as JSON or through a mobile app doesn’t mean it’s safe. Discuss validating JSON fields, data types, lengths, allowed values, etc., to prevent injection or business logic abuse.
- Select activity microtopic 27 2 api input validation CONTENT v4
  
  microtopic 27 2 api input validation CONTENT v4 SCORM package
- Select activity Micro-Topic 27.3: Rate Limiting & Throttling – Blocking the Brute-force and Flood
  
  Micro-Topic 27.3: Rate Limiting & Throttling – Blocking the Brute-force and Flood
  
  · Learning Goal: Explain how APIs often enforce rate limiting (requests per minute, etc.) and why: to prevent brute-force attacks (like password guessing via API) and abuse (DoS or mass data scraping). Describe basic strategies for implementing throttling and why it’s part of API security.
- Select activity microtopic 27 3 rate limiting throttling CONTENT v4
  
  microtopic 27 3 rate limiting throttling CONTENT v4 SCORM package
- Select activity Micro-Topic 27.4: Data Exposure & Injection in APIs – Securing the Data Flow
  
  Micro-Topic 27.4: Data Exposure & Injection in APIs – Securing the Data Flow
  
  · Learning Goal: Cover how APIs might unintentionally expose sensitive data (e.g., sending too much info in JSON) and how they remain susceptible to injection if not coded carefully (like NoSQL injection or command injection through API parameters). Emphasize using proper filters and avoiding verbose responses.
- Select activity microtopic 27 4 api data exposure injection CONTENT v4
  
  microtopic 27 4 api data exposure injection CONTENT v4 SCORM package