1. Use HTTPS for secure communication:
Use secure socket layer (SSL) or transport layer security (TLS) encryption to protect sensitive data in transit. This ensures that the data transmitted between the client and server is secure and cannot be intercepted by third parties.
import requests
response = requests.get('https://api.example.com/data', verify=True)
2. Authenticate users with tokens:
API access and limit access to authorized users only. This helps to ensure that only authorized users have access to sensitive data.
import requests
headers = {'Authorization': 'Token 1234567890'}
response = requests.get('https://api.example.com/data', headers=headers)
3. Validate inputs:
Validate all input data to prevent malicious data from being processed by the API. This helps to prevent attacks such as cross-site scripting (XSS) and SQL injection.
def validate_input(data):
if len(data) > 100:
raise ValueError('Data length should be less than 100 characters.')
return data
input_data = validate_input(input_data)
4. Use encryption for sensitive data:
import bcrypt
password = bcrypt.hashpw('secret_password'.encode(), bcrypt.gensalt())
# To check if the password matches:
if bcrypt.checkpw('secret_password'.encode(), password):
# Password match
else:
# Password does not match
5. Rate limit API requests:
import time
def rate_limit(func):
def wrapper(*args, **kwargs):
now = time.time()
if now - wrapper.last_call < 1: # rate limit of 1 request per second
return 'Too many requests, try again later.'
wrapper.last_call = now
return func(*args, **kwargs)
wrapper.last_call = 0
return wrapper
@rate_limit
def get_data():
# API request
return 'Data'
6. Use secure password storage:
import bcrypt
def hash_password(password):
hashed_password = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
return hashed_password
def verify_password(password, hashed_password):
if bcrypt.checkpw(password.encode(), hashed_password):
return True
return False
hashed_password = hash_password('secret_password')
if verify_password('secret_password', hashed_password):
# Password match
else:
# Password does not match
7. Implement two-factor authentication:
import pyotp
def generate_2fa_token():
secret = pyotp.random_base32()
return secret
def verify_2fa_token(secret, token):
totp = pyotp.TOTP(secret)
return totp.verify(token)
secret = generate_2fa_token()
token = '123456'
if verify_2fa_token(secret, token):
# Token match
else:
# Token does not match
8. Use proper error handling:
try:
# API request
except Exception as e:
print(f'Error: {e}')
9. Use secure coding practices:
Use secure coding practices to prevent security vulnerabilities in the API code.
def secure_fumction(data):
if data is None:
raise ValueError('Data cannot be None.')
return data
input data =
10. Monitor API logs regularly:
Regularly monitor API logs to identify and respond to security incidents.
import logging
logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)
# Add log handler
handler = logging.FileHandler('api.log')
handler.setLevel(logging.INFO)
logger.addHandler(handler)
# Log API requests
def log_api_request(request):
logger.info(f'API request: {request}')
Use unique API keys for each user and implement mechanisms to securely store and manage API keys. This helps to prevent unauthorized access to the API and prevent attackers from stealing API keys.
