How to prevent SQL injection and improve security on REST APIs?

Question

I'm new into REST APIs and developing an API that is going to be used for iOS/Android/Web apps, but I'm unfamiliar with the kind of threats the APIs face once published. I see these same tips all over:

• Use oAuth 2 to allow transactions,
• Receiving and sending only encrypted JSON Web Tokens,
• Use SSL/TTL.

I think using SSL/TLS and JWT should be enough security for sending/receiving data, but even with that, I fear the possibility of SQL injection if someone stole credentials.

Should I check the requests for SQL injection strings (such as this one)? And if I'm going to support user login, would it make more sense to use oAuth instead of JWT?

Answer 1

sql-i

1. using prepared statements will get you a lot of the way (further reading)

2. consider using ORM layers to interface with your db (eg: gorm)

security principles

1. always validate user input before performing any operations on it

2. for every operation, if you know of the universal set of options, opt for an allow-list approach vs a deny-list approach (i.e., I will only allow a string to pass through if it belongs to my known list)

auth

1. jwt is just a token format (similar to your identity card), and you can use oauth for the underlying authz (checking your identity card before giving you access to some resource) -- read more here
2. bearer tokens (like jwt) should always be sent over TLS/SSL to prevent intruders from getting access to the plaintext jwt (rfc7523)
3. as the product matures, you might want to move to a model where you start assigning session tokens that are stored on the phone, but this usually comes with the complexity of handling revocation (eg: when/how do I rotate session tokens?)