Secure your win in the REST API interview. The gist of years of experience on how to effectively secure your REST APIs and prevent attacks is in this course.

Master the Secure REST API Before Your Next Interview.png

Digital threats emerge every day around the world. This course will help you build REST APIs with minimal vulnerabilities.

This course diligently crafts the security design around the REST API and gears you up to a Secure Software Development Life Cycle (SSDLC). You’ll learn REST security from start to finish. This includes client and server rendering, the architectural constraints of REST, SSL/TLS/X.509 certificates, choosing the right TLS protocol, version, ciphers, forward secrecy, and the seven tenets of Zero Trust. You’ll also learn how and where to position access control in monolithic and microservices. You’ll also learn to make your application stateless using JWT, and learn the nuances of JWT security, how to put input validation to good use, choosing the right HTTP method to use, and the best practices for various content types.

By the end of this course, you’ll be able to build your next REST API and be confident in its security as measured by the common vulnerability scoring system (CVSS3.1).

Will be provided later

Securing REST API for Web Applications and Services

In this lesson, we’ll try to understand why we should restrict the use of some HTTP methods. So, first, let’s have a primer on the HTTP methods used in REST—which are safe, which are idempotent, and which are cacheable.

## HTTP/HTML
**Hypertext Transfer Protocol (HTTP)** is an application layer protocol for transmitting hypermedia documents, such as HTML. **Hypermedia**, an extension of the term hypertext, is a nonlinear medium of information that includes graphics, audio, video, plain text, and hyperlinks.


**A few points about HTTP**

- It is designed to be a stateless protocol, which means there is no state information—for example, which user is logged in, what the attributes of the user are, and so on.
- It is a request-response model. In this request-response model, a client computer or software requests data or services, and a server computer or software responds to the request by providing the data or service.
- It is line-based, meaning every header starts on a new line.


### Common methods in HTTP
Even though HTTP defines many methods, `GET` and `POST` are the most commonly used ones. It is rather odd that HTML only supports `GET `and `POST`. Other HTTP methods, even if valid, are not supported directly in HTML and need to use JavaScript or AJAX calls.


## Safe, idempotent, and cacheable
An HTTP method is **safe** if it is not changing in the server and only getting the data.

An HTTP method is **idempotent** if the same request is executed any number of times; the result is the same.

An HTTP method is **cacheable** if it allows storing the information for future use.


In this lesson, we’ll try to understand why we should restrict the use of some HTTP methods. So, first, let’s have a primer on the HTTP methods used in REST—which are safe, which are idempotent, and which are cacheable.

# HTTP/HTML
**Hypertext Transfer Protocol (HTTP)** is an application layer protocol for transmitting hypermedia documents, such as HTML. **Hypermedia**, an extension of the term hypertext, is a nonlinear medium of information that includes graphics, audio, video, plain text, and hyperlinks.


**A few points about HTTP**

- It is designed to be a stateless protocol, which means there is no state information—for example, which user is logged in, what the attributes of the user are, and so on.
- It is a request-response model. In this request-response model, a client computer or software requests data or services, and a server computer or software responds to the request by providing the data or service.
- It is line-based, meaning every header starts on a new line.


## Common methods in HTTP
Even though HTTP defines many methods, `GET` and `POST` are the most commonly used ones. It is rather odd that HTML only supports `GET `and `POST`. Other HTTP methods, even if valid, are not supported directly in HTML and need to use JavaScript or AJAX calls.


# Safe, idempotent, and cacheable
An HTTP method is **safe** if it is not changing in the server and only getting the data.

An HTTP method is **idempotent** if the same request is executed any number of times; the result is the same.

An HTTP method is **cacheable** if it allows storing the information for future use.


Understand what HTTP methods to judiciously allow for better security as REST APIs are built on HTTP methods.

Allowed HTTP Methods

HTTP/HTML