RESTful API Security Quiz

Questions and Answers

What does the X-RateLimit-Remaining header represent in an API?

Number of remaining calls (correct)

Authentication status

Total number of calls made

Time when the call counter will be reset

What is the purpose of using HTTPS in API communication?

To bypass authentication

To ensure secure communication (correct)

To increase the number of allowed requests

To track user sessions

What does the HTTP Basic Authentication method allow a client to provide when requesting access to a protected resource?

Username and password (correct)

Session ID

API key

Timestamp

What status code does the server typically respond with when a client tries to access a protected resource without proper credentials?

401 Unauthorized

What does the WWW-Authenticate header inform the client about in an API response?

Type of authentication required

What security measure helps protect APIs from replay attacks?

"CSRF"

What format is the value of the Authorization header supposed to follow in Basic Authentication?

Base64-encoded string

What is the drawback of using Basic Authentication?

Decoded username and password

In Token-based authentication, what does the successful response include?

Access token

What HTTP status code does the server respond with upon successful deletion of a resource?

204 No Content

Why is it advisable to avoid including username and password directly in the URL?

To avoid vulnerabilities related to logging proxies

What type of scheme is typically indicated in the Authorization header when using an access token?

Bearer token scheme

Study Notes

Rate Limiting

• Rate Limit is a limit on the number of requests to an API within a time slot
• X-RateLimit-Limit specifies the number of calls during the time slot
• X-RateLimit-Remaining specifies the number of remaining calls
• X-RateLimit-Reset specifies the time when the call counter will be reset
• Receiving a 429 Too Many Requests response indicates that the rate limit has been exceeded

Authentication

• Authentication is a method for a client to provide a username and password to a server when requesting access to a protected resource
• HTTP Basic Authentication is a common method for authentication
• The client is challenged with a 401 Unauthorized status code and a WWW-Authenticate header when attempting to access a protected resource
• The client responds with an Authorization header containing a Base64-encoded string of the username and password

Security Issues with Basic Authentication

• The Base64-encoded string is not encrypted, making it vulnerable to interception and decoding
• The username and password are transmitted in plain text, making it susceptible to security breaches

Token-based Authentication

• The client sends a POST request to the server's /auth endpoint with credentials in the body
• The server responds with a 201 Created status code and an access token upon successful verification
• The access token is a unique identifier for the user session
• The client can access resources on the server using the access token in the Authorization header

Security Principle

• Avoid sending credentials in the URL to prevent exposure through logging systems and proxies
• Use a separate login request to keep credentials out of URLs and reduce the risk of exposure

Description

Test your knowledge on RESTful API security concepts such as rate limiting, authentication, attack vectors, and best practices. Learn about preventing injections, XSS, CSRF attacks, and ensuring secure communication with HTTPS.