Application programming interfaces (APIs) are software components that provide a contract for client devices to interact with the server-side of an application. For example, a client can use APIs to send a GET request to retrieve data from a server. The server processes the request according to pre-defined functions and responds to the client with the application data. This differs from traditional web application requests where clients communicate with servers through web browsers and servers respond with HTML web pages.
API security requires its own set of security strategies
Each API request (GET /userinfo, DELETE /userId/item and so on) that provides functionality for users exposes API endpoints that have become a target for attackers. As an application grows and becomes more complex, the number of API endpoints increase and so does the attack surface of the application. Compared to traditional web application where the client's main responsibility is to render the web page, API applications can rely more on the client side such as to maintain session state. In addition to that, APIs by nature exposes application logic and sensitive data. As a result, vulnerabilities due to API security are different from what you have in the OWASP top 10 for web applications (2021). API security vulnerabilities have their own unique details and require their own set of security strategies and solutions; therefore, that group of vulnerabilities has its own: OWASP top 10 for API security (2019)
Secure your APIs with F5 products
The responsibility of securing your APIs does not fall solely on application code on the client and server systems. F5 products are strategically positioned in this line of (client-sever) communication as they can see parameters in the API requests, orchestrate data flow, and understand the business logic of the application. The range of BIG-IP modules (Advanced WAF, BIG-IP APM, BIG-IP LTM) and NGINX products provide you with granular control to implement specific API protections (such as content validation, access control, rate limiting, and so on) that you need to protect against the OWASP API security Top 10 (2019).
To find out more on to protect how your APIs with F5's range of BIG-IP and NGINX products, refer to K08446517: Guide introduction and contents | APIs and the OWASP Top 10 guide or jump directly to the chapter that you're most interested in: