I was asked recently about designing a secure API. There are 2 basic steps:
- Encrypt the connection (HTTPS)
- Encrypt the paylod (HMAC-SHA1 for example)
You could think up ways to go further but these are the basics that need to be covered.
Pitfalls to avoid
While the above two steps are pretty straight forward and easy to read about and learn, there is one problem to watch out for. When an app developer starts learning about how to secure an API or a website, there is a possibility that that developer will start to consider him or herself an expert in security. This can lead to developing your own security libraries and using them.
This is a problem because that homebrewed library is going to have more bugs than the community vetted library that is out there. And you can remain blissfully unaware of these bugs because there's no public mailing list to notify you of vulnerabilities as they are discovered and patched.
When I work with security related code, I repeat to myself:
I am not a security expert
Then I go read about libraries used by the community and choose the ones that have been well vetted and around for a while. It is not an area I choose to go with the new hotness in.