How to secure an API without authentication

0 votes
I have an API that can’t rely on user authentication, yet I want to secure it against unauthorized access and misuse. What are some alternative security measures I can implement, such as IP whitelisting, rate limiting, or using API tokens, even without authentication?

Examples of how to strengthen API security without authentication would be very useful.
Nov 15 in Cyber Security & Ethical Hacking by Anupam
• 5,390 points
67 views

1 answer to this question.

0 votes

Although it can be difficult to secure an API without standard user authentication, there are a number of easy steps you can take to guard against exploitation and unwanted access.

1. IP Whitelisting (IP Restriction)

Only allow requests from specified IP addresses.

  • Using NGINX (as a reverse proxy):
http {
  ...
  server {
    ...
    location /api {
      # Restrict API access to these IPs
      allow 192.168.1.100;
      allow 2001:0db8:85a3:0000:0000:8a2e:0370:7334;
      deny all; # Deny all other IP addresses
    }
  }
}
  • Using AWS API Gateway: Configure "Resource Policy" to restrict source IP addresses.

2. Rate Limiting

Limit the number of requests from an IP address within a time frame.

  • Using Node.js with Express and rate-limit middleware:
const rateLimit = require("express-rate-limit");

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
});

// Apply to all API endpoints
app.use("/api/", limiter);
  • Using Cloudflare: Enable the "Rate Limiting" rule in the dashboard.

3. API Tokens (without User Auth)

Require a static, secret token to be passed with each request.

  • Using Python with Flask:
from flask import Flask, request, abort

app = Flask(__name__)
API_TOKEN = "your_secret_static_token_here"

@app.before_request
def require_api_token():
  if request.headers.get('X-API-TOKEN') != API_TOKEN:
    abort(401)

@app.route('/api/endpoint')
def protected_endpoint():
  return "Access granted."

4. User Agent Restriction

Restrict access based on the User-Agent header.

  • Using Apache .htaccess:
SetEnvIf User-Agent "^YourApprovedBotName" let_in
Order Deny,Allow
Deny from all
Allow from env=let_in

5. Content Security Policy (CSP) and CORS

Define which sources of content are allowed to interact with your API.

  • Implementing CORS with Python and Flask to only allow specific origins:
from flask import Flask
from flask_cors import CORS, cross_origin

app = Flask(__name__)
cors = CORS(app, resources={r"/api/*": {"origins": "https://example.com"}})
  • CSP with NGINX for API responses:
http {
  ...
  server {
    ...
    location /api {
      # Other configurations
      add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://example.com;";
    }
  }
}

answered Nov 15 by CaLLmeDaDDY
• 6,540 points

Related Questions In Cyber Security & Ethical Hacking

0 votes
1 answer

How to become an Ethical Hacker?

Steps and Requirements for a Career in ...READ MORE

answered Oct 12, 2023 in Cyber Security & Ethical Hacking by Saniya
• 3,360 points
454 views
0 votes
0 answers

How to be an Ethical Hacker?

What steps and guidelines should one follow ...READ MORE

Dec 19, 2023 in Cyber Security & Ethical Hacking by Saniya
• 3,360 points
273 views
+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 6,540 points
114 views
+1 vote
1 answer
+1 vote
1 answer
+1 vote
1 answer
0 votes
1 answer

How to encrypt an SD card without the original device?

Yes, you can encrypt an SD card ...READ MORE

answered Nov 7 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 6,540 points
47 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP