Motivation

We have established that APIs are significant for businesses and their smooth functioning. However, to ensure their successful operation, we need a layer of security to protect data in various communication channels. The transmission of requests and subsequent responses between a client and server must be secured. Otherwise, attackers can intercept these transmissions, which can subsequently lead to information disclosure and tampering.

Assume the following simplistic view of a client-server communication that is being performed using unsecured public Wi-Fi. Without the application of any relevant security protocols, the messages we send and the API requests and responses generated are left vulnerable to any attacker over the network.

Referring to the diagram above, we need to be able to answer the following questions to guarantee a secure transmission:

How does the client know that the server it’s talking to is exactly the one the client intended?
How do we achieve confidentiality/secrecy of the messages?
How does the client know about the integrity of the message it has received?
How do we verify the authenticity of messages received from the server?

So, we need to utilize a framework/model that ensures the desired security properties during transmission to prevent attacks.

Transport layer security (TLS)

Transport layer security (TLS) is a cryptographic protocol that permits safe transmission between the client and API provider. TLS ensures message authentication, encryption, and data integrity.

In a client-server communication, the server usually requests authentication from clients using sensitive credentials, like a username and password, an API key, and tokens (we’ll explore these techniques in the coming lessons). However, using TLS, the client is able to authenticate the server prior to client authentication. TLS achieves this with the help of digital certificatesCertificates that a client receives directly from the server.

Introduction to the Course

Network Intricacies

Different Ways of Client-Server Communication

Common Data Formats for Web APIs

Comparison of API Architectural Styles

API Design Security

Important Concepts in API Design

Back-of-the-Envelope Calculations for Latency

What Are the Foundational API Designs?

Design a Search Service

Design a File Service

Design a Comment Service

Design a Pub-Sub Service

Concluding Foundational Design Problems

YouTube Streaming API Design

Facebook Messenger API Design

Google Maps API Design

Learn to Design a Chess API with AI Mentor

Zoom API Design

Leetcode API Design

Payment Gateway API Design—Stripe

Twitter API Design

Uber API Design

CamelCamelCamel API Design

Gaming API Design

API Failures and Mitigations

Conclusion

Transport Layer Security (TLS)

Motivation

Transport layer security (TLS)