RESTful API Security Quiz

Questions and Answers

What does the X-RateLimit-Remaining header represent in an API?

• Number of remaining calls (correct)
• Authentication status
• Total number of calls made
• Time when the call counter will be reset

What is the purpose of using HTTPS in API communication?

• To bypass authentication
• To ensure secure communication (correct)
• To increase the number of allowed requests
• To track user sessions

What does the HTTP Basic Authentication method allow a client to provide when requesting access to a protected resource?

• Username and password (correct)
• Session ID
• API key
• Timestamp

What status code does the server typically respond with when a client tries to access a protected resource without proper credentials?

401 Unauthorized (C)

What does the WWW-Authenticate header inform the client about in an API response?

Type of authentication required (D)

What security measure helps protect APIs from replay attacks?

"CSRF" (A)

What format is the value of the Authorization header supposed to follow in Basic Authentication?

Base64-encoded string (A)

What is the drawback of using Basic Authentication?

Decoded username and password (D)

In Token-based authentication, what does the successful response include?

Access token (C)

What HTTP status code does the server respond with upon successful deletion of a resource?

204 No Content (A)

Why is it advisable to avoid including username and password directly in the URL?

To avoid vulnerabilities related to logging proxies (A)

What type of scheme is typically indicated in the Authorization header when using an access token?

Bearer token scheme (C)

Study Notes

Rate Limiting

• Rate Limit is a limit on the number of requests to an API within a time slot
• X-RateLimit-Limit specifies the number of calls during the time slot
• X-RateLimit-Remaining specifies the number of remaining calls
• X-RateLimit-Reset specifies the time when the call counter will be reset
• Receiving a 429 Too Many Requests response indicates that the rate limit has been exceeded

Authentication

• Authentication is a method for a client to provide a username and password to a server when requesting access to a protected resource
• HTTP Basic Authentication is a common method for authentication
• The client is challenged with a 401 Unauthorized status code and a WWW-Authenticate header when attempting to access a protected resource
• The client responds with an Authorization header containing a Base64-encoded string of the username and password

Security Issues with Basic Authentication

• The Base64-encoded string is not encrypted, making it vulnerable to interception and decoding
• The username and password are transmitted in plain text, making it susceptible to security breaches

Token-based Authentication

• The client sends a POST request to the server's /auth endpoint with credentials in the body
• The server responds with a 201 Created status code and an access token upon successful verification
• The access token is a unique identifier for the user session
• The client can access resources on the server using the access token in the Authorization header

Security Principle

• Avoid sending credentials in the URL to prevent exposure through logging systems and proxies
• Use a separate login request to keep credentials out of URLs and reduce the risk of exposure

Description

Test your knowledge on RESTful API security concepts such as rate limiting, authentication, attack vectors, and best practices. Learn about preventing injections, XSS, CSRF attacks, and ensuring secure communication with HTTPS.