12 Questions
What does the X-RateLimit-Remaining header represent in an API?
Number of remaining calls
What is the purpose of using HTTPS in API communication?
To ensure secure communication
What does the HTTP Basic Authentication method allow a client to provide when requesting access to a protected resource?
Username and password
What status code does the server typically respond with when a client tries to access a protected resource without proper credentials?
401 Unauthorized
What does the WWW-Authenticate header inform the client about in an API response?
Type of authentication required
What security measure helps protect APIs from replay attacks?
"CSRF"
What format is the value of the Authorization header supposed to follow in Basic Authentication?
Base64-encoded string
What is the drawback of using Basic Authentication?
Decoded username and password
In Token-based authentication, what does the successful response include?
Access token
What HTTP status code does the server respond with upon successful deletion of a resource?
204 No Content
Why is it advisable to avoid including username and password directly in the URL?
To avoid vulnerabilities related to logging proxies
What type of scheme is typically indicated in the Authorization header when using an access token?
Bearer token scheme
Study Notes
Rate Limiting
- Rate Limit is a limit on the number of requests to an API within a time slot
- X-RateLimit-Limit specifies the number of calls during the time slot
- X-RateLimit-Remaining specifies the number of remaining calls
- X-RateLimit-Reset specifies the time when the call counter will be reset
- Receiving a 429 Too Many Requests response indicates that the rate limit has been exceeded
Authentication
- Authentication is a method for a client to provide a username and password to a server when requesting access to a protected resource
- HTTP Basic Authentication is a common method for authentication
- The client is challenged with a 401 Unauthorized status code and a WWW-Authenticate header when attempting to access a protected resource
- The client responds with an Authorization header containing a Base64-encoded string of the username and password
Security Issues with Basic Authentication
- The Base64-encoded string is not encrypted, making it vulnerable to interception and decoding
- The username and password are transmitted in plain text, making it susceptible to security breaches
Token-based Authentication
- The client sends a POST request to the server's /auth endpoint with credentials in the body
- The server responds with a 201 Created status code and an access token upon successful verification
- The access token is a unique identifier for the user session
- The client can access resources on the server using the access token in the Authorization header
Security Principle
- Avoid sending credentials in the URL to prevent exposure through logging systems and proxies
- Use a separate login request to keep credentials out of URLs and reduce the risk of exposure
Test your knowledge on RESTful API security concepts such as rate limiting, authentication, attack vectors, and best practices. Learn about preventing injections, XSS, CSRF attacks, and ensuring secure communication with HTTPS.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free