Security is a major concern when designing any API. In this video, Nate discusses the difference between transport and application security, and recommend the security best practices you should follow.
- [Instructor] Security is a major concern for any API or application today, and it's crucial to consider security early on in the development of your project. It's much easier to design security from the beginning rather than trying to bolt it on at the end. There are two major types of security you'll need to consider for an API built on asp.net core. The first is transport security, which means keeping the connection between the client and the server secure. Secondly, application security, which covers things like authentication and making sure users are authorized to perform actions in your system.
We'll add transport security to the Landen API first. Later, we'll round out the security story by adding application security in the form of authentication and authorization. There are two elements of transport security we can add to the API. The first and most important is HTTPS. By enabling HTTPS or SSL support, clients will be able to connect to the API with an encrypted connection. Once it's turned on, we'll double-down and force all clients to use HTTPS by redirecting any HTTP requests to HTTPS.
Secondly, we'll add some additional security headers to all API responses, such as the HTTP strict transport security or HSTS header. This will guaranty even greater security for clients that support those headers. ASP.NET Core sites run on the Kestrel web server by default. The recommended way to deploy Kestrel is behind a reverse proxy like IAS on windows, or Engin-X on Linux. In this set up, the reverse proxy handles the low-level details of HTTPS. Kestrel can verify that the request came into the proxy over an HTTPS connection.
Any additional security headers can be added by your application and the response goes back through the proxy and over the encrypted connection. All right, let's add transport security to our API. First, we'll configure the project to use the HTTPS feature in IS-Express.
- REST vs. RPC
- Using HTTP methods (aka verbs)
- Returning JSON
- Creating a new API project
- Building a root controller
- Routing to controllers with templates
- Requiring HTTPS for security
- Creating resources and data models
- Returning data and resources from a controller
- Representing links (HREFs)
- Representing collections
- Sorting and searching collections
- Creating forms
- Caching and compression
- Authentication and authorization for RESTful APIs
Skill Level Intermediate
Building Web APIs with ASP.NET Core (2016)with Chris Woodruff1h 7m Intermediate
Deploying ASP.NET Core Applicationswith Nate Barbettini57m 57s Intermediate
1. REST API Concepts
2. Building a Basic API
3. Securing the API
4. Representing Resources
5. Representing Links
6. Representing Collections
7. Sorting Collections
8. Searching Collections
9. Forms and Modifying Data
10. Caching and Compression
11. Authentication and Authorization
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.