Because APIs transmit sensitive data, they are often the target of attacks. This includes authentication in particular. Keycloak helps to secure.
Web applications are subject to numerous threats. It pays to keep an eye on the latest vulnerabilities and security holes. Benchmarks of such vulnerabilities ensure application security before an attack occurs. The Open Web Application Security Project (OWASP) is a trusted nonprofit foundation that publishes software security research. It is known for its annual compilation of the top vulnerabilities in web applications. In 2019, she also published a list of API vulnerabilities (see the article “IT Security: Developing APIs securely”).
It becomes clear that companies should keep an eye on authentication and authorization and that problems can also arise during operation, especially with rate limiting, logging and configuration: APIs often contain no restrictions on the size and number of resources that clients/users can use can request. Not only does this affect the performance of the API server and can lead to Denial of Service (DoS), but it also opens the door for authentication failures such as brute force.
However, misconfigurations can also be found in the security area: Insecure standard configurations, incorrectly configured HTTP headers, unnecessary HTTP methods, wrongly allowed cross-origin resource sharing (CORS) and detailed error messages with sensitive information are just a few examples. Attacks are often detected too late or not at all because there are gaps in the monitoring. Microservices and self-contained systems have made software systems more complex, which is why security-related issues have to be solved throughout the entire process. It’s a good idea to place the API behind an API gateway that adds or sets features like rate limiting, IP blocking, and authentication.
