Best Practices of API Security in Strapi

If data breaches can be devastating for companies, regardless of their size, imagine the impact on those individuals whose personal information was exposed. I checked Thesaurus.com and couldn’t find anything five times worse than the word “devastating.” It’s impossible to imagine how it feels unless you’ve gone through it yourself.

This is why businesses need to be relentless in protecting customer data. Of course, it's easier said than done with the global economy on the brink of recession and inflation. However, this backdrop further justifies why companies must take cybersecurity seriously.

API stands for “Application Programming Interface”. Simply put, an API is just a structured way for software applications to communicate.

An API can grant you access to the features or information offered by another piece of software. The program replies to an API call, a specially prepared request, by offering the required service or data in a fashion that may be incorporated into other applications or workflows. They are crucial in development because they allow developers to access the products and services of other companies to improve their programs. Restful APIs and GraphQL APIs are examples of APIs.

What is API Security?

Application programming interface (API) security refers to preventing or mitigating attacks on APIs. APIs work as the backend framework for mobile and web applications. Therefore, it is critical to protect the sensitive data they transfer. APIs are used on mobile or web applications. They often gather or collect user data that get processed within the hosting for the API.

Therefore, the collection of precautions used to ensure the confidentiality, availability, and integrity of data being transferred through the Application programming interface (API) is called API security.

Importance of API security

Software engineers frequently use APIs to improve their applications. The use of APIs by developers allows them to utilize the services provided by other programs rather than having to design everything from scratch. You don't need to design your interactive map; the Google Maps API, for instance, makes it relatively simple to include one in your project. Also, for Weather, the OpenWeatherApi makes it easier to include a weather forecast on your application.

• API security is important because businesses use APIs to connect services and to transfer data, so a hacked API can lead to a data breach. According to Gartner, 90% of web-enabled applications will have more attack surface area in exposed APIs than in the user interface.
• APIs have become a target for attackers because they expose application logic, resources, and sensitive data, including personally identifiable information (PII). Attackers may interrupt operations, get access to or delete sensitive data, and steal property if they can access unprotected APIs.

What is Strapi?

Strapi is an open-source headless CMS that develops and manages content using Restful APIs and GraphQL. It is used to build the application backend and different frontend platforms by consuming the content via APIs using any HTTP client or GraphQL-enabled frontend. If you are new to Strapi, it's worth trying. In this next section, we’ll look at installing Strapi locally and starting with it.

Prerequires

To follow this tutorial, you would need to have the following Prerequires in place; you should have

• Npm or Yarn installed on your computer.
• Node.js v16 and v18 are recommended.
  • Node v18.x is recommended for Strapi v4.3.9 and above
  • Node v16.x is recommended for Strapi v4.0.x to v4.3.8.
• Also, you should be familiar with Strapi.

Strapi Installation

After having all the needed software installed, installing Strapi is pretty simple. You can install Strapi by running the command below on your terminal.

npx create-strapi-app@latest my-project --quickstart

Note: The quick start installation sets up Strapi with an SQLite database. Other databases and installation options are available (see CLI installation guide).

Your Strapi app will launch once the installation is completed. Register and log in to your dashboard page.

Note: A developer page is also available to explain more accurate details on setting up and deploying your Strapi projects.

Creating Collection Types

The Content Manager is a core plugin of Strapi. It is a default feature that is always activated and cannot be deactivated. It is accessible when the application is in a development and production environment.

The Content Manager is accessible from Content Manager in the main navigation, which opens a sub-navigation displaying two categories: Collection types and Single types.

Each category contains the available collection and single content types created using the Content-type Builder beforehand. Administrators can create, manage, and publish content from these two categories.

The Collection types category of the Content Manager displays the list of available collection types accessible from the Content Manager sub-navigation.

Multiple entries can be created for each available collection type, so each type is divided into two interfaces: the list view and the edit view (see Writing content).

The list view of a collection type displays all entries created for that collection type.

The labeled boxes with numbers are to make things easier for you when sorting or searching for your entries which will be explained below:

Box 1 (Add new entry): By clicking on this button, you can add new entries to your collections, assign categories, edit the model, and configure the view.

Box 2 (Search icon): You can search for your entries input in the Restaurant collection types by clicking on the icon.

Box 3 (Filter icon): By clicking on the filter icon, you can filter out your search entries by category, name, date created, date updated, and ID. This will also ease you in searching numerous number entries.

Box 4 (Language): You can sort with English or any language you choose.

Box 5 (Setting): This page enables you to edit all the sort and search actions on your collection types; you can set the necessary configuration for your collection view, as shown in the image below.

Note: You can check Strapi's official documentation to learn more about the Strapi collection type operation.

Best practices for Setting it Up and Monitoring

Setting up and monitoring are essential aspects of a system development or process; there are several best practice pointers to achieve this goal and how they are done effectively. Here are some pointers for configuring and keeping an eye on systems:

Enabling API permission

One of the features of the Strapi API is that it gives you control over the API by setting its permissions. You can specify whether the endpoint should be read-only, allow read and write access, or enable all permissions depending on your application's needs.

In every Strapi project, the API endpoints are accessible by default in a freshly created Strapi project without enabling API permissions or roles. The default roles and permissions of a new Strapi project setup grant public access to the API endpoints.

However, Strapi provides a robust role-based access control system, which allows you to manage user permissions and control access to various endpoints (APIs) based on different user roles. By default, Strapi comes with three built-in roles:

1. Public: This role grants anonymous users (users who are not authenticated) access to public APIs that don't require authentication.
2. Authenticated: This role is for users who have been authenticated or logged in. It provides access to authenticated APIs that require users to log in.
3. Administrator: This is the highest privilege role and has access to all APIs and administrative features of Strapi.

In Strapi, the "Public" role is given access by default when you create an endpoint (content type). This indicates that people who are not authenticated can access the endpoint. You can adjust the roles' permissions to limit access to particular endpoints.

From the side menu, navigate to Settings > Users & Permission Plugin > Roles > Public. Then, select the collection type for which you want to set the permissions and check the required permissions, as shown in the image below.

To make the changes take effect after you have enabled the required API permissions, click the "Save" button.

Enabling API permissions in Strapi allows you to control all the access to your endpoints and ensures that only authorized users can perform specific actions. This essential security feature can prevent unwanted access to or modification of your content and data.

Tracking API Action Using Strapi Audit Log

The Strapi Audit Log feature lets you track and record user API actions within your Strapi projects. This feature is used to track activities carried out by users, e.g., audit log to keep track of who create, edit and delete record in the Strapi backend. This feature is. Only available on the Strapi enterprise plan, you must enable the Audit logging to see all audit logs from your application dashboard.

Here are the steps to enable Audit logging:

• Access the admin dashboard/panel and click on the “Setting” section in the left menu.
• In the “Setting” section, click on the “Advanced setting” and click on the “Logging tab” to enable the audit logging.
• Under the “Logging tab,” you can enable the “Audit logging” by switching it to the on position.
• Once the “Audit logging” is switched on, it will show on the “Adminstration panel”. You can now customize the settings for the “Audit logs”.

Click on Content Manager, Settings, and audit logs, as shown in the image below. In the “Audit log” content type, the admin can view all the API actions performed by the users, including the API action and the timestamp.

By tracking all the API actions using the Strapi audit log feature, you can monitor who is accessing your API endpoints, when actions are being taken, and what action is being taken. This will help you resolve and detect any potential security threat in your developed system.

Securing API on the Front-end

Securing the front end of your application on Strapi is one of the critical steps to be taken when protecting your application from security threats. Here are some best practices to help in securing your Strapi API application:

• Enable CORS (Cross-Origin Resource Sharing): Configure Cross-Origin Resource Sharing headers on the API server to control which domains can access the API. This helps prevent unauthorized access from malicious websites.

We can configure CORS in our Strapi application by adding the following code to ./config/middleware.js

1 module.exports = ({ env }) => ({
2      settings: {
3        cors: {
4          enabled: true,
5          // configure CORS to app;s client side and Strapi client (admin panel)
6          // client-side 1: http://localhost:3000
7          // client-side 2: http://localhost:8000
8          // Strapi client (admin panel): http://localhost:1337
9          origin: ['*'], // Add your allowed domains in the array, e.g., ['http://localhost:3000', 'http://yourdomain.com']
10        },
11      },
12    });

Use HTTPS only and limit CORS to the domains required for your application to run successfully.

Next, we must add the API endpoint domain to the .env file. In the .env file, set the CORS_origin environment variable to your domain name, as shown below:

• Implement authentication and authorization: Authentication validates and verifies a user's identity when signing up or registering for your application. Authorization is the process of permitting users to access a particular resource and determining if a user has the right permission or role to access a specific route or resource.

There are several methods of authentication and authorization in securing your application:

1. Authentication: Various techniques can be employed to authenticate a user, as mentioned below:
   • Single-factor authentication
   • Two-factor authentication
   • Multi-factor authentication
   • Password-based authentication
   • Passwordless authentication
   • Social Authentication

Strapi utilizes password-based authentication to create the admin user and other user types. For further details on authentication, you can refer to the Auth0 blog.

2. Authorization: Several methods exist for authorization, and the most popular ones are listed below:
   • API Keys
   • Basic Auth
   • OAuth 2.0
   • HMAC

You can explore further information here to gain a deeper understanding of authorization.

Best Practices for Development and Deployment

Developing and deploying a Strapi API securely, It's essential to create and implement a Strapi API securely if you want to shield your application's data from threats and vulnerabilities. Here are some tips to assist you in making sure your Strapi API is securely developed and deployed:

• Choose the Right Hosting Provider
• Optimize Production Build
• Set Up Monitoring and Logging
• Automate Deployment
• Testing in Production-like Environment
• Regular Back-up

Conclusion

Ultimately, consumers are better at ease when they know that hackers cannot access their information. As long as businesses continue to disregard them, APIs will remain a profitable attack route for hackers to exploit. Implementing robust security measures, such as authentication, authorization, input validation, secure transport, rate limiting, and regular updates, is essential to ensure the security of your APIs in Strapi.

You can broaden your knowledge by reading more written articles on Strapi about authentication and deployment.